Description
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.

To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length.

When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.
Published: 2026-06-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cpanel::JSON::XS versions before 4.41 will trigger a denial‑of‑service when decode_json receives a JSON document prefixed with a UTF‑8 Byte Order Mark and a registered filter callback throws an exception. The library removes the BOM from the input string and, if an exception propagates, mistakenly leaves the scalar pointing into an already shortened buffer. When that corrupted scalar is freed, the allocator receives an invalid pointer, causing the Perl interpreter to abort. This leads to an application crash and loss of availability.

Affected Systems

The vulnerability affects the RURBAN Cpanel::JSON::XS Perl module, any installation of Cpanel::JSON::XS prior to version 4.41. This includes all systems that parse JSON using this module under Perl, such as web applications or services that rely on it for configuration or data handling.

Risk and Exploitability

The CVSS score is now 7.5, indicating medium to high severity. The EPSS score of <1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog. However, because a single malformed UTF‑8 BOM prefixed document can trigger the crash, the risk of availability impact is high. An attacker could supply such a document to any process that calls decode_json with a potentially throwing callback, reliably causing a denial‑of‑service. The lack of exploitation prerequisites beyond input injection makes this vulnerability a near‑certain high‑impact denial of service.

Generated by OpenCVE AI on June 3, 2026 at 19:21 UTC.

Remediation

Vendor Solution

Upgrade to Cpanel::JSON::XS 4.41 or later.

OpenCVE Recommended Actions

  • Upgrade Cpanel::JSON::XS to version 4.41 or later.
  • Remove any UTF‑8 BOM prefixes from JSON payloads before invoking decode_json, or replace the decode_json call with a wrapper that cleans the input string.
  • Ensure that any decode_json filter callbacks used by the application do not throw exceptions; if unavoidable, wrap decode_json invocations in an eval block and allow the process to continue after an exception instead of aborting.

Generated by OpenCVE AI on June 3, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Rurban cpanel\
CPEs cpe:2.3:a:rurban:cpanel\:\:json\:\:xs:*:*:*:*:*:perl:*:*
Vendors & Products Rurban cpanel\

Wed, 03 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
References

Wed, 03 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Rurban
Rurban cpanel::json::xs
Vendors & Products Rurban
Rurban cpanel::json::xs

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length. When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.
Title Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws
Weaknesses CWE-755
CWE-763
References

Subscriptions

Rurban Cpanel::json::xs Cpanel\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-03T15:58:49.426Z

Reserved: 2026-05-25T18:54:26.396Z

Link: CVE-2026-9516

cve-icon Vulnrichment

Updated: 2026-06-03T09:35:39.521Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T01:16:23.430

Modified: 2026-06-05T17:35:52.507

Link: CVE-2026-9516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T19:30:36Z

Weaknesses
  • CWE-755

    Improper Handling of Exceptional Conditions

  • CWE-763

    Release of Invalid Pointer or Reference