Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.
To skip a leading 3-byte UTF-8 BOM, decodejson() advances the input scalar's string pointer past the mark with SvPVset() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filterjsonobject callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length.
When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.
{
"cwe_ids": [
"CWE-755",
"CWE-763"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9516.json",
"cna_assigner": "CPANSec"
}{
"cpe": "cpe:2.3:a:rurban:cpanel\\:\\:json\\:\\:xs:*:*:*:*:*:perl:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "4.41"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}