top of page
perceptive_background_267k.jpg

Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.

To skip a leading 3-b…

Published:

2 juni 2026 om 22:00:00

Alert date:

3 juni 2026 om 19:01:16

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

CVE-2026-9516 affects Cpanel::JSON::XS versions before 4.41 for Perl, allowing denial of service attacks via UTF-8 BOM prefixed input when decode filter callbacks throw exceptions. The vulnerability occurs when decode_json() advances the input scalar's string pointer past the UTF-8 BOM mark but fails to restore it when decoding aborts through Perl exceptions. This leaves the scalar with an offset string pointer and shortened length, causing the allocator to receive an invalid pointer when the scalar is freed, resulting in interpreter abortion. A single BOM prefixed document with a throwing filter callback can crash any caller.

Technical details

Mitigation steps:

Affected products:

Cpanel::JSON::XS

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-9516
https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b.patch
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes
http://www.openwall.com/lists/oss-security/2026/06/03/5

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page