CVE-2026-9516 - Vulnerability Details

Description

Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.

To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length.

When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.

Published: 2026-06-03

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Cpanel::JSON::XS versions before 4.41 will trigger a denial‑of‑service when decode_json receives a JSON document prefixed with a UTF‑8 Byte Order Mark and a registered filter callback throws an exception. The library removes the BOM from the input string and, if an exception propagates, mistakenly leaves the scalar pointing into an already shortened buffer. When that corrupted scalar is freed, the allocator receives an invalid pointer, causing the Perl interpreter to abort. This leads to an application crash and loss of availability.

Affected Systems

The vulnerability affects the RURBAN Cpanel::JSON::XS Perl module, any installation of Cpanel::JSON::XS prior to version 4.41. This includes all systems that parse JSON using this module under Perl, such as web applications or services that rely on it for configuration or data handling.

Risk and Exploitability

The CVSS score is not provided in the data, and no EPSS score is available. The vulnerability is not listed in CISA's KEV catalog. However, because a single malformed UTF‑8 BOM prefixed document can trigger the crash, the risk of availability impact is high. An attacker could supply such a document to any process that calls decode_json with a potentially throwing callback, reliably causing a denial‑of‑service. The lack of exploitation prerequisites beyond input injection makes this vulnerability a near‑certain high‑impact denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

RURBAN

Cpanel::JSON::XS

unaffected

Version	Status	Constraints
`0`	affected	< 4.41

No data.

Vendor Product Confidence Versions

Rurban

Cpanel::json::xs

100%

Version	Status	Scheme	Platform
`[0,4.41)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to Cpanel::JSON::XS 4.41 or later.

OpenCVE Recommended Actions

Upgrade Cpanel::JSON::XS to version 4.41 or later.
Remove any UTF‑8 BOM prefixes from JSON payloads before invoking decode_json, or replace the decode_json call with a wrapper that cleans the input string.
Ensure that any decode_json filter callbacks used by the application do not throw exceptions; if unavoidable, wrap decode_json invocations in an eval block and allow the process to continue after an exception instead of aborting.

Generated by OpenCVE AI on June 3, 2026 at 04:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/06/03/5
https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b.patch
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes

History

Wed, 03 Jun 2026 11:15:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/06/03/5

Wed, 03 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rurban Rurban cpanel::json::xs
Vendors & Products		Rurban Rurban cpanel::json::xs

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length. When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.
Title		Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws
Weaknesses		CWE-755 CWE-763
References		https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b.patch https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes

Subscriptions

Rurban Cpanel::json::xs

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-06-03T00:15:51.685Z

Updated: 2026-06-03T09:35:39.521Z

Reserved: 2026-05-25T18:54:26.396Z

Link: CVE-2026-9516

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-03T01:16:23.430

Modified: 2026-06-03T11:16:20.387

Link: CVE-2026-9516

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object