CVE-2026-9516

Source
https://cve.org/CVERecord?id=CVE-2026-9516
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9516.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-9516
Downstream
Related
Published
2026-06-03T00:15:51.685Z
Modified
2026-07-15T01:49:05.958442046Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws
Details

Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.

To skip a leading 3-byte UTF-8 BOM, decodejson() advances the input scalar's string pointer past the mark with SvPVset() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filterjsonobject callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length.

When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.

Database specific
{
    "cwe_ids": [
        "CWE-755",
        "CWE-763"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9516.json",
    "cna_assigner": "CPANSec"
}
References

Affected packages

Git / github.com/rurban/cpanel-json-xs

Affected ranges

Type
GIT
Repo
https://github.com/rurban/cpanel-json-xs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:rurban:cpanel\\:\\:json\\:\\:xs:*:*:*:*:*:perl:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.41"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

2.*
2.27
2.28
2.29
2.3
2.31
2.32
2.3305
2.3306
2.3307
2.3308
2.3309
2.3310
2.3311
2.3313
2.3314
2.33_02
2.33_04
2.3401
2.3402
2.3403
2.3404
3.*
3.0101
3.0102
3.0103
3.0104
3.0105
3.0106
3.0109
3.0110
3.0111
3.0112
3.0113
3.0114
3.0115
3.0201
3.0202
3.0204
3.0205
3.0206
3.0207
3.0208
3.0209
3.0210
3.0211
3.0212
3.0213
3.0213_01
3.0213_02
3.0214
3.0215
3.0216
3.0217
3.0217_01
3.0217_02
3.0217_03
3.0217_04
3.0217_05
3.0217_06
3.0218
3.0219
3.0220
3.0221
3.0222
3.0223
3.0224
3.0225
3.0226
3.0227
3.0229
3.0232
3.0233
3.0234
3.0235
3.0236
3.0237
3.0238
3.0239
3.0240
3.99_01
3.99_02
3.99_03
4.*
4.00
4.01
4.02
4.03
4.04
4.05
4.06
4.07
4.08
4.09
4.10
4.11
4.12
4.13
4.14
4.15
4.16
4.17
4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.27
4.28
4.29
4.30
4.31
4.32
4.33
4.34
4.35
4.36
4.37
4.38
4.39
4.40

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9516.json"