Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled.
decodehv() collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV, which evaluates SvRV(oldvalue) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.
A caller decoding untrusted JSON with dupkeysasarrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.
{
"cna_assigner": "CPANSec",
"cwe_ids": [
"CWE-843"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9334.json"
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:rurban:cpanel\\:\\:json\\:\\:xs:*:*:*:*:*:perl:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "4.41"
}
]
}