CVE-2026-9334
Type Confusion in Cpanel::JSON::XS Perl Module
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rurban | cpanel_json_xs | to 4.41 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-9334 is a type confusion vulnerability in the Perl module Cpanel::JSON::XS versions before 4.41. It occurs when the feature dupkeys_as_arrayref is enabled and the input JSON contains duplicate keys.
The vulnerability arises in the decode_hv() function, where duplicate keys are supposed to be collapsed into an array reference. However, due to coding mistakes, the function incorrectly treats a non-reference scalar as a reference, leading to a type confusion.
Specifically, the code checks the type of an existing value using a logical AND instead of OR, causing it to dereference a non-reference scalar. This results in a bogus pointer being used, which triggers a crash (segmentation fault).
An attacker can exploit this by providing specially crafted JSON with duplicate keys, causing the program decoding the JSON to crash.
How can this vulnerability impact me? :
This vulnerability can cause a program using the affected Cpanel::JSON::XS module with dupkeys_as_arrayref enabled to crash when processing specially crafted JSON input.
Such crashes can lead to denial of service conditions, where legitimate users are unable to use the affected service or application.
Because the crash is triggered by attacker-controlled input, it could be exploited remotely if the application processes untrusted JSON data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing crashes or segmentation faults in applications using Cpanel::JSON::XS with the dupkeys_as_arrayref feature enabled when processing JSON input containing duplicate keys.
To detect the vulnerability on your system, you can monitor logs for crashes related to JSON decoding or run tests with crafted JSON inputs containing duplicate keys to see if the application crashes.
There are no specific commands provided in the resources, but a general approach is to run a test script that decodes JSON with duplicate keys using Cpanel::JSON::XS with dupkeys_as_arrayref enabled and observe if a segmentation fault occurs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating Cpanel::JSON::XS to a version that includes the patch fixing this vulnerability.
The patch corrects the handling of duplicate keys and fixes the type confusion issue in the decode_hv() function.
If updating is not immediately possible, avoid enabling the dupkeys_as_arrayref feature or avoid processing untrusted JSON inputs with duplicate keys.