CVE-2026-9334

NameCVE-2026-9334
DescriptionCpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138273

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcpanel-json-xs-perl (PTS)bullseye4.25-1vulnerable
bullseye (security)4.25-1+deb11u1vulnerable
bookworm, bookworm (security)4.35-1+deb12u1vulnerable
trixie (security), trixie4.39-2~deb13u1vulnerable
forky, sid4.42-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcpanel-json-xs-perlsource(unstable)4.41-11138273

Notes

[trixie] - libcpanel-json-xs-perl <no-dsa> (Minor issue)
[bookworm] - libcpanel-json-xs-perl <no-dsa> (Minor issue)
[bullseye] - libcpanel-json-xs-perl <postponed> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/40653179/
Fixed by: https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2 (4.41)
Search for package or bug name: Reporting problems