CVE-2026-9516: Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws

Synopsis

A denial-of-service vulnerability exists in the Cpanel::JSON::XS Perl library before version 4.41. When a caller passes a UTF-8 BOM-prefixed JSON document to decode_json() alongside a filter callback that throws a Perl exception (croaks), the library's internal string pointer is left in a corrupted state, causing the interpreter to abort when the scalar is freed. The vulnerability is reachable over the network with no authentication required, and successful exploitation crashes the calling process. A patched-image rebuild at version 4.41 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The vulnerable decode path is reachable over the network; an attacker can deliver a crafted BOM-prefixed JSON payload to any exposed HTTP endpoint or API that uses Cpanel::JSON::XS with a filter callback.

• AuthenticationNot required

  No credentials or session token are needed; the attacker only needs to submit a JSON document to the target service.

• Victim interactionNot required

  No user action is required; the crash is triggered entirely by the server processing the malicious input.

• Attack complexityDetail

  The exploit is reliable and condition-free; a single well-formed BOM-prefixed document paired with a throwing filter callback is sufficient to crash the process every time.

Blast Radius

• Crashes the Perl interpreter process handling the request, taking down any co-located request handling for the duration of the restart cycle.
• A persistent or scripted stream of such requests keeps the service unavailable, resulting in sustained denial of service.
• No confidential data is disclosed and no data is modified; the impact is limited to availability.