CVE-2026-7111
Use-After-Free in Text::CSV_XS Perl Module
Publication date: 2026-04-29
Last updated on: 2026-05-06
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hmbrand | text | to 1.62 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-825 | The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Text::CSV_XS versions before 1.62 for Perl. It is a use-after-free issue that occurs when registered callbacks extend the Perl argument stack during certain method calls (such as parse, print, getline, and getline_all).
The problem arises because these methods cache the Perl argument stack pointer across the callback invocation. If a callback extends the argument stack enough to cause a reallocation, the cached pointer becomes stale and points to freed memory. Writing the return value through this stale pointer corrupts memory and causes the caller to read the original object ($self) instead of the expected parsed data.
As a result, code expecting parsed data may receive the Text::CSV_XS object itself, leading to logic errors or crashes. This issue only affects usage with registered callbacks; if no callbacks are registered, the vulnerability does not occur.
How can this vulnerability impact me? :
This vulnerability can cause logic errors or crashes in applications using Text::CSV_XS with registered callbacks. Specifically, when the application expects parsed CSV data, it may instead receive the Text::CSV_XS object due to memory corruption caused by the use-after-free.
Such unexpected behavior can lead to application instability, incorrect data processing, or denial of service if the application crashes. It may also introduce security risks if the corrupted memory is exploited further, although no direct exploitation details are provided.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in Text::CSV_XS versions before 1.62 for Perl when registered callbacks extend the Perl argument stack, causing use-after-free and memory corruption.
Detection involves identifying if your system is running a vulnerable version of the Text::CSV_XS Perl module (version before 1.62) and if any code uses registered callbacks with the Parse, print, getline, or getline_all methods.
You can check the installed version of Text::CSV_XS with the following Perl command:
- perl -MText::CSV_XS -e 'print $Text::CSV_XS::VERSION, "\n"'
To detect usage of callbacks in your Perl scripts, you would need to review the code for usage of after_parse, before_print, on_error, or other registered callbacks with Text::CSV_XS methods.
There are no specific network commands or automated detection tools mentioned in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Text::CSV_XS to version 1.62 or later, where the vulnerability has been fixed.
The fix ensures proper stack management by calling SPAGAIN when callbacks extend the Perl argument stack, preventing use-after-free and memory corruption.
If upgrading immediately is not possible, avoid using registered callbacks with the Parse, print, getline, or getline_all methods in Text::CSV_XS, as objects used without callbacks are not affected.
Can you explain this vulnerability to me?
This vulnerability exists in Text::CSV_XS versions before 1.62 for Perl and is a use-after-free issue triggered when registered callbacks extend the Perl argument stack.
The Parse, print, getline, and getline_all methods invoke these callbacks and cache the Perl argument stack pointer across the call. If a callback extends the stack enough to cause reallocation, the cached pointer becomes stale and writing the return value through it corrupts freed memory.
As a result, the caller may receive the Text::CSV_XS object instead of the expected parsed data, leading to logic errors or crashes. This issue does not affect objects used without any registered callbacks.
How can this vulnerability impact me? :
This vulnerability can cause logic errors or crashes in applications using affected versions of Text::CSV_XS with registered callbacks.
Because the caller may receive incorrect data (the Text::CSV_XS object instead of parsed CSV data), this can lead to unexpected behavior, application instability, or denial of service.
Additionally, the vulnerability has a high severity with a CVSS score of 8.4, indicating it can have a significant impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying usage of Text::CSV_XS Perl module versions before 1.62 that register callbacks such as after_parse, before_print, or on_error.
Since the vulnerability occurs when callbacks extend the Perl argument stack, monitoring for crashes or logic errors in Perl scripts using these methods (Parse, print, getline, getline_all) with registered callbacks may indicate exploitation.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Text::CSV_XS Perl module to version 1.62 or later, where the vulnerability has been fixed.
Avoid using registered callbacks with affected methods in versions prior to 1.62, as objects used without callbacks are not affected.
Apply the patch that ensures proper stack management by calling SPAGAIN when callbacks extend the stack, as implemented in the fix committed on April 25, 2026.