HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9334Published Modified CNA CPANSec

CVE-2026-9334: Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
4.41
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A type confusion vulnerability in Cpanel::JSON::XS (Perl) before version 4.41 allows a remote, unauthenticated attacker to trigger a crash or corrupt memory by sending crafted JSON with duplicate object keys when the dupkeys_as_arrayref option is enabled. The flaw is reachable over the network without authentication and does not require any victim interaction. Successful exploitation disrupts service availability and may allow limited reads or writes through the corrupted pointer dereference. A patched-image rebuild at version 4.41 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-9334 is available across every HarborGuard environment, with ingestion from upstream advisory feeds occurring within minutes of publication and matching performed against all customer registry images, including custom-built Perl application images that bundle Cpanel::JSON::XS. Any image carrying a Cpanel::JSON::XS package older than 4.41 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.3 (HIGH) and weighting it against each environment's configured compliance policy to determine urgency. Triage routing routes the finding to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available
Patch

A patched-image rebuild at Cpanel::JSON::XS 4.41 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable JSON decoder is exposed over the network; an attacker must be able to send HTTP requests or other network traffic carrying crafted JSON to a service using this library.

  • AuthenticationNot required

    No credentials or session token are needed; the attacker only needs to deliver a JSON payload to an endpoint that decodes it.

  • Victim interactionNot required

    No user action is required; the crash and pointer misuse occur automatically when the server-side application decodes the attacker-supplied JSON.

  • Attack complexityDetail

    The exploit is reliable and condition-free under standard configurations; no race condition or special memory layout is required, only the presence of the dupkeys_as_arrayref option in the calling code.

Blast Radius

  • The affected service process crashes immediately on receipt of the crafted payload, causing a denial of service for all users of that process.
  • The misread pointer is taken from attacker-controlled scalar contents, giving the attacker a limited read primitive over adjacent process memory, which may expose in-process data such as decoded JSON values, session state, or environment variables.
  • The same pointer misuse creates a limited write opportunity, meaning an attacker may be able to corrupt heap metadata or scalar values held in the same process, potentially influencing subsequent application logic.
  • All three confidentiality, integrity, and availability impacts are rated LOW in the CVSS record, meaning the attacker's reach over process memory is constrained rather than unrestricted, but the crash alone is reliably reproducible.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9334 fires within minutes of the advisory appearing in upstream feeds, matching against every image in customer registries and CI pipelines, including custom Perl application images. For environments where an affected version of Cpanel::JSON::XS is present, a rebuild at the fixed version 4.41 is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to a merged patch PR for HIGH-severity issues is around 90 minutes for environments with auto-remediation enabled. If your application explicitly enables dupkeys_as_arrayref and an immediate rebuild is not possible, consider isolating the affected service behind a network policy that restricts which clients can send arbitrary JSON payloads, as a compensating control while the patch is staged.

See how HarborGuard automates this

Fix available

4.41
Patch commits
Affected packages
  • RURBAN / Cpanel::JSON::XS
    < 4.41 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References