CVE-2026-9334

Source
https://cve.org/CVERecord?id=CVE-2026-9334
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9334.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-9334
Downstream
Related
Published
2026-06-03T00:15:16.202Z
Modified
2026-07-15T01:49:07.054526492Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled
Details

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled.

decodehv() collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV, which evaluates SvRV(oldvalue) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.

A caller decoding untrusted JSON with dupkeysasarrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.

Database specific
{
    "cna_assigner": "CPANSec",
    "cwe_ids": [
        "CWE-843"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9334.json"
}
References

Affected packages

Git / github.com/rurban/cpanel-json-xs

Affected ranges

Type
GIT
Repo
https://github.com/rurban/cpanel-json-xs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:rurban:cpanel\\:\\:json\\:\\:xs:*:*:*:*:*:perl:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.41"
        }
    ]
}

Affected versions

2.*
2.27
2.28
2.29
2.3
2.31
2.32
2.3305
2.3306
2.3307
2.3308
2.3309
2.3310
2.3311
2.3313
2.3314
2.33_02
2.33_04
2.3401
2.3402
2.3403
2.3404
3.*
3.0101
3.0102
3.0103
3.0104
3.0105
3.0106
3.0109
3.0110
3.0111
3.0112
3.0113
3.0114
3.0115
3.0201
3.0202
3.0204
3.0205
3.0206
3.0207
3.0208
3.0209
3.0210
3.0211
3.0212
3.0213
3.0213_01
3.0213_02
3.0214
3.0215
3.0216
3.0217
3.0217_01
3.0217_02
3.0217_03
3.0217_04
3.0217_05
3.0217_06
3.0218
3.0219
3.0220
3.0221
3.0222
3.0223
3.0224
3.0225
3.0226
3.0227
3.0229
3.0232
3.0233
3.0234
3.0235
3.0236
3.0237
3.0238
3.0239
3.0240
3.99_01
3.99_02
3.99_03
4.*
4.00
4.01
4.02
4.03
4.04
4.05
4.06
4.07
4.08
4.09
4.10
4.11
4.12
4.13
4.14
4.15
4.16
4.17
4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.27
4.28
4.29
4.30
4.31
4.32
4.33
4.34
4.35
4.36
4.37
4.38
4.39
4.40

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9334.json"