CVE-2026-9516
Analyzed Analyzed - Analysis Complete
Denial of Service in Cpanel::JSON::XS Perl Module

Publication date: 2026-06-03

Last updated on: 2026-06-05

Assigner: CPANSec

Description
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length. When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-05
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-9516
EUVD
EUVD-2026-34061
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rurban cpanel to 4.41 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-755 The product does not handle or incorrectly handles an exceptional condition.
CWE-763 The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the decode_json() function of Cpanel::JSON::XS versions before 4.41 for Perl. When the input JSON string starts with a UTF-8 Byte Order Mark (BOM), the function attempts to skip this BOM by directly modifying the input string's internal pointer and length.

Normally, after processing, the function restores the original pointer and length. However, if a decode filter callback throws an exception during decoding, the restoration step is skipped. This leaves the input string's internal pointer offset incorrectly and its length shortened.

When the corrupted string is later freed, the memory allocator receives an invalid pointer, causing the Perl interpreter to abort unexpectedly. This can be triggered by a small payload containing a UTF-8 BOM followed by an empty JSON object and a throwing filter callback.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition in applications using vulnerable versions of Cpanel::JSON::XS. Specifically, if an attacker provides JSON input prefixed with a UTF-8 BOM and triggers a decode filter callback that throws an exception, the application will crash due to an invalid memory pointer.

Such crashes can disrupt service availability, potentially leading to downtime or requiring restarts of the affected Perl interpreter or application.

Detection Guidance

This vulnerability can be detected by testing the decode_json() function of Cpanel::JSON::XS with input containing a leading UTF-8 BOM followed by JSON data, especially when using filter callbacks that may throw exceptions.

A practical detection method is to send a minimal payload consisting of a UTF-8 BOM (3 bytes) followed by an empty JSON object "{}" to any service or script using the vulnerable decode_json() function with a throwing filter callback.

If the system or application crashes or aborts with a SIGABRT (exit code 134), it indicates the presence of this vulnerability.

No specific commands are provided in the available resources, but a test script in Perl could be constructed to decode a BOM-prefixed JSON string with a filter callback that throws an exception to observe if the interpreter aborts.

Mitigation Strategies

Immediate mitigation involves updating Cpanel::JSON::XS to version 4.41 or later, where the vulnerability has been fixed by removing the in-place mutation of the input scalar and properly handling the UTF-8 BOM without corrupting the string pointer.

Until an update can be applied, avoid using decode_json() with input containing a UTF-8 BOM when filter callbacks that may throw exceptions are involved.

Additionally, review and modify any filter callbacks to handle exceptions gracefully without causing the decode_json() function to abort unexpectedly.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart