UBUNTU-CVE-2026-14803

Source
https://ubuntu.com/security/CVE-2026-14803
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14803.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-14803
Upstream
Published
2026-07-06T02:16:00Z
Modified
2026-07-09T15:15:46Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or MOJO_NO_JSON_XS=1 is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example Mojo::Message::json reached through $c->req->json, can exhaust process memory and cause denial of service.

References

Affected packages

Ubuntu:16.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.15+dfsg-1
6.15+dfsg-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "6.15+dfsg-1ubuntu1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14803.json"
Ubuntu:18.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.39+dfsg-1ubuntu1
7.43+dfsg-1ubuntu1
7.57+dfsg-1ubuntu1
7.59+dfsg-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "7.59+dfsg-1ubuntu1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14803.json"
Ubuntu:20.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.22+dfsg-1
8.23+dfsg-1
8.26+dfsg-1
8.27+dfsg-1
8.32+dfsg-1
8.33+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "8.33+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14803.json"
Ubuntu:22.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.71+dfsg-1
9.*
9.22+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "9.22+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14803.json"
Ubuntu:24.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.33+dfsg-1
9.35+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "9.35+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14803.json"
Ubuntu:25.10
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.39+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "9.39+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14803.json"
Ubuntu:26.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.39+dfsg-1
9.42+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "9.42+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14803.json"