Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.
To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length.
When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.
AnalysisAI
Denial of service in the Cpanel::JSON::XS Perl module before version 4.41 allows remote attackers to crash any caller that decodes a UTF-8 BOM prefixed JSON document with a throwing filter callback. The flaw arises from a missed pointer restoration when decode_json aborts via a Perl exception, leaving the input scalar with a corrupted SvPVX pointer that fatally aborts the interpreter on later free. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to (1) be decoding attacker-controlled JSON via Cpanel::JSON::XS prior to 4.41, (2) have the input begin with a 3-byte UTF-8 BOM (0xEF 0xBB 0xBF), and (3) have one of three specific callbacks registered on the JSON object that can throw during decoding: filter_json_object, filter_json_single_key_object, or allow_tags(1) with a THAW handler that croaks. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals diverge sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a single JSON document beginning with the three-byte UTF-8 BOM (0xEF 0xBB 0xBF) to a network-exposed Perl service whose JSON parser is configured with a filter_json_object, filter_json_single_key_object, or allow_tags+THAW callback that can throw on malformed or unexpected content. The decoder advances the input SV's buffer pointer past the BOM, the filter callback croaks while processing the document, and the SV is left with an offset pointer; when Perl later frees the scalar the allocator receives an invalid base and aborts the worker, crashing the service. … |
| Remediation | Upgrade Cpanel::JSON::XS to version 4.41 or later, which removes the in-place SvPV_set BOM-skip and replaces it with a local offset (upstream commit dfe1b41a36caba51dc12a2917fe50285d1ffaa7b, https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b.patch); the 4.41 release is on CPAN and changes are documented at https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes, with the oss-security announcement at https://seclists.org/oss-sec/2026/q2/792. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit inventory to identify all applications and systems using Cpanel::JSON::XS module. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary f
SQL injection in the cPanel/WHM sqloptimizer utility script allows attackers to execute arbitrary SQL queries as the MyS
Type confusion in Cpanel::JSON::XS (Perl) versions before 4.41 allows remote attackers to crash a decoder by submitting
Privilege escalation in cPanel and WP Squared allows an authenticated team member account to elevate privileges to the t
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on
Same weakness CWE-763 – Release of Invalid Pointer or Reference
View allSame technique Denial Of Service
View allVendor StatusVendor
Debian
Bug #1138273| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 4.25-1 | - |
| bullseye (security) | vulnerable | 4.25-1+deb11u1 | - |
| bookworm, bookworm (security) | vulnerable | 4.35-1+deb12u1 | - |
| trixie (security), trixie | vulnerable | 4.39-2~deb13u1 | - |
| forky, sid | fixed | 4.41-1 | - |
| (unstable) | fixed | 4.41-1 | - |
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34061
GHSA-32gp-2g42-v9vc