2484284 – (CVE-2026-9334) CVE-2026-9334 perl-Cpanel-JSON-XS: perl-Cpanel-JSON-XS: Denial of Service via type confusion with duplicate JSON object keys

Bug 2484284 (CVE-2026-9334) - CVE-2026-9334 perl-Cpanel-JSON-XS: perl-Cpanel-JSON-XS: Denial of Service via type confusion with duplicate JSON object keys

Summary: CVE-2026-9334 perl-Cpanel-JSON-XS: perl-Cpanel-JSON-XS: Denial of Service via...

Keywords:
Status:	NEW
Alias:	CVE-2026-9334
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2484330 2484331
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-03 01:01 UTC by OSIDB Bzimport
Modified:	2026-06-03 11:31 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-03 01:01:18 UTC

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled.

decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.

A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.

Note You need to log in before you can comment on or make changes to this bug.