Description
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption.

The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead.

Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
Published: 2026-04-29
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Text::CSV_XS modules earlier than 1.62 contain a use‑after‑free flaw that occurs when a user‑registered callback enlarges the Perl argument stack and triggers a reallocation. The library keeps a stale pointer to the original stack, and after the callback returns, it writes the return value through this deprecated pointer into freed memory. This corruption can manifest as malformed return values, logic errors, or crashes. The mention of type confusion in the advisory indicates that the corrupted memory may affect data type handling within the interpreter, which could worsen the impact.

Affected Systems

All installations of HMBRAND:Text::CSV_XS with a version number less than 1.62 are affected. The vulnerability exists only when scripts register callbacks such as after_parse, before_print, or on_error; use of the module without callbacks leaves it safe. The module is a Perl library for CSV parsing distributed under the CPAN distribution name Text::CSV_XS.

Risk and Exploitability

Because the flaw requires an attacker to influence the script to register callbacks and craft input that expands the stack, the attack surface is constrained to applications that use callbacks and have sufficient privileges. The CVSS score of 8.4 indicates a high severity, but the EPSS metric is not provided, so the likely exploitation probability cannot be quantified from the available data. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation. Nonetheless, memory corruption in a core interpreter component could potentially result in crashes or logic errors when legacy versions are used, but the CVE description does not declare arbitrary code execution.

Generated by OpenCVE AI on April 30, 2026 at 14:01 UTC.

Remediation

Vendor Solution

Upgrade to 1.62 or later.

OpenCVE Recommended Actions

  • Upgrade the Text::CSV_XS module to version 1.62 or later, which removes the use‑after‑free bug.
  • If an upgrade is not possible, eliminate or disable all user‑registered callbacks to avoid the stack reallocation path.
  • Add defensive checks around CSV parsing and monitor the application for crashes or abnormal behavior when legacy versions are in use.

Generated by OpenCVE AI on April 30, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Hmbrand text\
CPEs cpe:2.3:a:hmbrand:text\:\:csv_xs:*:*:*:*:*:perl:*:*
Vendors & Products Hmbrand text\

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hmbrand
Hmbrand text::csv Xs
Vendors & Products Hmbrand
Hmbrand text::csv Xs

Wed, 29 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
Title Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption
Weaknesses CWE-416
CWE-825
References

Subscriptions

Hmbrand Text::csv Xs Text\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-29T17:49:17.981Z

Reserved: 2026-04-26T15:31:25.111Z

Link: CVE-2026-7111

cve-icon Vulnrichment

Updated: 2026-04-29T16:33:25.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T15:16:09.183

Modified: 2026-05-06T16:16:52.697

Link: CVE-2026-7111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:15:40Z

Weaknesses