CVE-2026-9334
Analyzed Analyzed - Analysis Complete
Type Confusion in Cpanel::JSON::XS Perl Module

Publication date: 2026-06-03

Last updated on: 2026-06-05

Assigner: CPANSec

Description
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-05
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-9334
EUVD
EUVD-2026-34060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rurban cpanel to 4.41 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9334 is a type confusion vulnerability in the Perl module Cpanel::JSON::XS versions before 4.41. It occurs when the feature dupkeys_as_arrayref is enabled and the input JSON contains duplicate keys.

The vulnerability arises in the decode_hv() function, where duplicate keys are supposed to be collapsed into an array reference. However, due to coding mistakes, the function incorrectly treats a non-reference scalar as a reference, leading to a type confusion.

Specifically, the code checks the type of an existing value using a logical AND instead of OR, causing it to dereference a non-reference scalar. This results in a bogus pointer being used, which triggers a crash (segmentation fault).

An attacker can exploit this by providing specially crafted JSON with duplicate keys, causing the program decoding the JSON to crash.

Impact Analysis

This vulnerability can cause a program using the affected Cpanel::JSON::XS module with dupkeys_as_arrayref enabled to crash when processing specially crafted JSON input.

Such crashes can lead to denial of service conditions, where legitimate users are unable to use the affected service or application.

Because the crash is triggered by attacker-controlled input, it could be exploited remotely if the application processes untrusted JSON data.

Detection Guidance

This vulnerability can be detected by observing crashes or segmentation faults in applications using Cpanel::JSON::XS with the dupkeys_as_arrayref feature enabled when processing JSON input containing duplicate keys.

To detect the vulnerability on your system, you can monitor logs for crashes related to JSON decoding or run tests with crafted JSON inputs containing duplicate keys to see if the application crashes.

There are no specific commands provided in the resources, but a general approach is to run a test script that decodes JSON with duplicate keys using Cpanel::JSON::XS with dupkeys_as_arrayref enabled and observe if a segmentation fault occurs.

Mitigation Strategies

Immediate mitigation involves updating Cpanel::JSON::XS to a version that includes the patch fixing this vulnerability.

The patch corrects the handling of duplicate keys and fixes the type confusion issue in the decode_hv() function.

If updating is not immediately possible, avoid enabling the dupkeys_as_arrayref feature or avoid processing untrusted JSON inputs with duplicate keys.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9334. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart