Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN584
_____________________________________________________________________

DATE                : 03/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cpanel-JSON-XS versions prior to
                                         4.41.

=====================================================================
https://lists.security.metacpan.org/cve-announce/msg/40653179/
https://lists.security.metacpan.org/cve-announce/msg/40653165/
_____________________________________________________________________

CVE-2026-9334: Cpanel::JSON::XS versions before 4.41 for Perl allow
type confusion via duplicate object keys when dupkeys_as_arrayref is
enabled Paul Johnson 03 Jun 2026 00:32 UTC

========================================================================
CVE-2026-9334                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-9334
  Distribution:  Cpanel-JSON-XS
      Versions:  before 4.41

      MetaCPAN:  https://metacpan.org/dist/Cpanel-JSON-XS
      VCS Repo:  https://github.com/rurban/Cpanel-JSON-XS

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via
duplicate object keys when dupkeys_as_arrayref is enabled

Description
-----------
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via
duplicate object keys when dupkeys_as_arrayref is enabled.

decode_hv() collapses duplicate object keys into an array reference
under dupkeys_as_arrayref. The branch reached for a duplicate key tests
`SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) !=
SVt_PVAV`, which evaluates SvRV(old_value) before establishing that
old_value is a reference. When the existing value is a plain scalar
rather than an array reference, a non-reference scalar is dereferenced
as a reference.

A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is
crashed, and the incompatible access follows a pointer taken from
attacker controlled scalar contents.

Problem types
-------------
- CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Solutions
---------
Upgrade to Cpanel::JSON::XS 4.41 or later.

References
----------
https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2.patch
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes

Timeline
--------
- 2026-02-24: Issue reported.
- 2026-05-27: Version 4.41 released with fix.
- 2026-05-28: Fix verified.

--
Paul Johnson - xxxxxx@pjcj.net

_____________________________________________________________________

CVE-2026-9516: Cpanel::JSON::XS versions before 4.41 for Perl allow
denial of service via UTF-8 BOM prefixed input when a decode filter
callback throws Paul Johnson 03 Jun 2026 00:34 UTC

========================================================================
CVE-2026-9516                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-9516
  Distribution:  Cpanel-JSON-XS
      Versions:  before 4.41

      MetaCPAN:  https://metacpan.org/dist/Cpanel-JSON-XS
      VCS Repo:  https://github.com/rurban/Cpanel-JSON-XS

Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service
via UTF-8 BOM prefixed input when a decode filter callback throws

Description
-----------
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service
via UTF-8 BOM prefixed input when a decode filter callback throws.

To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input
scalar's string pointer past the mark with SvPV_set() and restores it
only on the normal return path. When decoding aborts through a Perl
exception, for example a filter_json_object callback that croaks, the
restore is skipped and the scalar is left with its string pointer
offset into its own buffer and a shortened length.

When that scalar is later freed, the allocator receives an invalid
pointer and the interpreter aborts. A single BOM prefixed document
decoded with a throwing filter callback crashes any caller.

Problem types
-------------
- CWE-763 Release of Invalid Pointer or Reference
- CWE-755 Improper Handling of Exceptional Conditions

Solutions
---------
Upgrade to Cpanel::JSON::XS 4.41 or later.

References
----------
https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b.patch
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes

Timeline
--------
- 2026-05-18: Issue reported.
- 2026-05-27: Version 4.41 released with fix.
- 2026-05-28: Fix verified.

--
Paul Johnson - xxxxxx@pjcj.net


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================