top of page
perceptive_background_267k.jpg

Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.

To skip a leading 3-b…

Published:

2 June 2026 at 22:00:00

Alert date:

3 June 2026 at 19:01:16

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

CVE-2026-9516 affects Cpanel::JSON::XS versions before 4.41 for Perl, allowing denial of service attacks via UTF-8 BOM prefixed input when decode filter callbacks throw exceptions. The vulnerability occurs when decode_json() advances the input scalar's string pointer past the UTF-8 BOM mark but fails to restore it when decoding aborts through Perl exceptions. This leaves the scalar with an offset string pointer and shortened length, causing the allocator to receive an invalid pointer when the scalar is freed, resulting in interpreter abortion. A single BOM prefixed document with a throwing filter callback can crash any caller.

Technical details

Mitigation steps:

Affected products:

Cpanel::JSON::XS

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-9516
https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b.patch
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes
http://www.openwall.com/lists/oss-security/2026/06/03/5

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page