Bug 2484285 (CVE-2026-9516) - CVE-2026-9516 perl-Cpanel-JSON-XS: Cpanel::JSON::XS: Denial of Service via UTF-8 BOM prefixed input
Summary: CVE-2026-9516 perl-Cpanel-JSON-XS: Cpanel::JSON::XS: Denial of Service via UT...
Keywords:
Status: NEW
Alias: CVE-2026-9516
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2484332 2484333
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-03 01:01 UTC by OSIDB Bzimport
Modified: 2026-06-03 11:31 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-03 01:01:22 UTC
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.

To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length.

When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.


Note You need to log in before you can comment on or make changes to this bug.