========================================================================
CVE-2026-9334 CPAN Security Group
========================================================================
CVE ID: CVE-2026-9334
Distribution: Cpanel-JSON-XS
Versions: before 4.41
MetaCPAN: https://metacpan.org/dist/Cpanel-JSON-XS
VCS Repo: https://github.com/rurban/Cpanel-JSON-XS
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via
duplicate object keys when dupkeys_as_arrayref is enabled
Description
-----------
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via
duplicate object keys when dupkeys_as_arrayref is enabled.
decode_hv() collapses duplicate object keys into an array reference
under dupkeys_as_arrayref. The branch reached for a duplicate key tests
`SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) !=
SVt_PVAV`, which evaluates SvRV(old_value) before establishing that
old_value is a reference. When the existing value is a plain scalar
rather than an array reference, a non-reference scalar is dereferenced
as a reference.
A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is
crashed, and the incompatible access follows a pointer taken from
attacker controlled scalar contents.
Problem types
-------------
- CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
Solutions
---------
Upgrade to Cpanel::JSON::XS 4.41 or later.
References
----------
https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2.patch
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes
Timeline
--------
- 2026-02-24: Issue reported.
- 2026-05-27: Version 4.41 released with fix.
- 2026-05-28: Fix verified.
--
Paul Johnson - [email protected]
