Skip to main content

Cpanel::JSON::XS CVE-2026-9334

| EUVDEUVD-2026-34060 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-06-03 CPANSec GHSA-qfqj-xxqv-cxfw
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 03, 2026 - 18:24 vuln.today
Analysis Generated
Jun 03, 2026 - 18:24 vuln.today
CVSS changed
Jun 03, 2026 - 18:22 NVD
7.3 (None) 7.3 (HIGH)
CVE Published
Jun 03, 2026 - 00:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled.

decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.

A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.

AnalysisAI

Type confusion in Cpanel::JSON::XS (Perl) versions before 4.41 allows remote attackers to crash a decoder by submitting JSON with duplicate object keys when the dupkeys_as_arrayref option is enabled. The decode_hv() routine dereferences a scalar as a reference before verifying its type, turning attacker-controlled scalar contents into a wild pointer access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Perl service decoding JSON with dupkeys_as_arrayref
Delivery
Send JSON body with duplicated key over scalar value
Exploit
Trigger SvRV() on non-reference scalar in decode_hv()
Execution
Dereference attacker-controlled bytes as SV pointer
Impact
Crash worker process and deny service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Perl application explicitly enables the non-default dupkeys_as_arrayref decoder option on its Cpanel::JSON::XS instance and then decodes attacker-supplied JSON containing at least one duplicated object key whose prior value is a plain scalar rather than an arrayref. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects unauthenticated network reachability with low complexity, but the L/L/L impact triad is consistent with a crash/memory corruption read rather than reliable RCE, and CISA SSVC characterizes technical impact as 'partial' with exploitation status 'none'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a small crafted JSON body such as `{"a":"AAAA","a":"BBBB"}` to a Perl-based HTTP API that decodes request bodies with Cpanel::JSON::XS configured with dupkeys_as_arrayref enabled. On the second occurrence of key `a`, decode_hv() calls SvRV() on the plain scalar `"AAAA"`, treating attacker-controlled string bytes as a pointer to an SV and crashing the worker process; repeating the request denies service. …
Remediation Vendor-released patch: upgrade to Cpanel::JSON::XS 4.41 or later from CPAN (https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes); the upstream commit is https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2 and the oss-security announcement is at https://seclists.org/oss-sec/2026/q2/791. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Cpanel::JSON::XS and identify current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

Bug #1138273
libcpanel-json-xs-perl
Release Status Fixed Version Urgency
bullseye vulnerable 4.25-1 -
bullseye (security) vulnerable 4.25-1+deb11u1 -
bookworm, bookworm (security) vulnerable 4.35-1+deb12u1 -
trixie (security), trixie vulnerable 4.39-2~deb13u1 -
forky, sid fixed 4.41-1 -
(unstable) fixed 4.41-1 -

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-9334 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy