CVE-2026-7111
Analyzed Analyzed - Analysis Complete
Use-After-Free in Text::CSV_XS Perl Module

Publication date: 2026-04-29

Last updated on: 2026-05-06

Assigner: CPANSec

Description
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7111
EUVD
EUVD-2026-26237
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hmbrand text to 1.62 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability occurs in Text::CSV_XS versions before 1.62 for Perl when registered callbacks extend the Perl argument stack, causing use-after-free and memory corruption.

Detection involves identifying if your system is running a vulnerable version of the Text::CSV_XS Perl module (version before 1.62) and if any code uses registered callbacks with the Parse, print, getline, or getline_all methods.

You can check the installed version of Text::CSV_XS with the following Perl command:

  • perl -MText::CSV_XS -e 'print $Text::CSV_XS::VERSION, "\n"'

To detect usage of callbacks in your Perl scripts, you would need to review the code for usage of after_parse, before_print, on_error, or other registered callbacks with Text::CSV_XS methods.

There are no specific network commands or automated detection tools mentioned in the provided resources.

Mitigation Strategies

The primary mitigation step is to upgrade Text::CSV_XS to version 1.62 or later, where the vulnerability has been fixed.

The fix ensures proper stack management by calling SPAGAIN when callbacks extend the Perl argument stack, preventing use-after-free and memory corruption.

If upgrading immediately is not possible, avoid using registered callbacks with the Parse, print, getline, or getline_all methods in Text::CSV_XS, as objects used without callbacks are not affected.

Executive Summary

This vulnerability exists in Text::CSV_XS versions before 1.62 for Perl and is a use-after-free issue triggered when registered callbacks extend the Perl argument stack.

The Parse, print, getline, and getline_all methods invoke these callbacks and cache the Perl argument stack pointer across the call. If a callback extends the stack enough to cause reallocation, the cached pointer becomes stale and writing the return value through it corrupts freed memory.

As a result, the caller may receive the Text::CSV_XS object instead of the expected parsed data, leading to logic errors or crashes. This issue does not affect objects used without any registered callbacks.

Impact Analysis

This vulnerability can cause logic errors or crashes in applications using affected versions of Text::CSV_XS with registered callbacks.

Because the caller may receive incorrect data (the Text::CSV_XS object instead of parsed CSV data), this can lead to unexpected behavior, application instability, or denial of service.

Additionally, the vulnerability has a high severity with a CVSS score of 8.4, indicating it can have a significant impact on confidentiality, integrity, and availability.

Detection Guidance

Detection of this vulnerability involves identifying usage of Text::CSV_XS Perl module versions before 1.62 that register callbacks such as after_parse, before_print, or on_error.

Since the vulnerability occurs when callbacks extend the Perl argument stack, monitoring for crashes or logic errors in Perl scripts using these methods (Parse, print, getline, getline_all) with registered callbacks may indicate exploitation.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the Text::CSV_XS Perl module to version 1.62 or later, where the vulnerability has been fixed.

Avoid using registered callbacks with affected methods in versions prior to 1.62, as objects used without callbacks are not affected.

Apply the patch that ensures proper stack management by calling SPAGAIN when callbacks extend the stack, as implemented in the fix committed on April 25, 2026.

Executive Summary

This vulnerability exists in Text::CSV_XS versions before 1.62 for Perl. It is a use-after-free issue that occurs when registered callbacks extend the Perl argument stack during certain method calls (such as parse, print, getline, and getline_all).

The problem arises because these methods cache the Perl argument stack pointer across the callback invocation. If a callback extends the argument stack enough to cause a reallocation, the cached pointer becomes stale and points to freed memory. Writing the return value through this stale pointer corrupts memory and causes the caller to read the original object ($self) instead of the expected parsed data.

As a result, code expecting parsed data may receive the Text::CSV_XS object itself, leading to logic errors or crashes. This issue only affects usage with registered callbacks; if no callbacks are registered, the vulnerability does not occur.

Impact Analysis

This vulnerability can cause logic errors or crashes in applications using Text::CSV_XS with registered callbacks. Specifically, when the application expects parsed CSV data, it may instead receive the Text::CSV_XS object due to memory corruption caused by the use-after-free.

Such unexpected behavior can lead to application instability, incorrect data processing, or denial of service if the application crashes. It may also introduce security risks if the corrupted memory is exploited further, although no direct exploitation details are provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart