Fluid Attacks Database

Description

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libcpanel-json-xs-perl	=4.25-1 \|\| =4.25-1+deb11u1 \|\| =4.26-1 \|\| =4.27-1 \|\| =4.28-1 \|\| =4.29-1 \|\| =4.30-1 \|\| =4.31-1 \|\| =4.32-1 \|\| =4.35-1 \|\| =4.36-1 \|\| =4.37-1 \|\| =4.38-1 \|\| =4.39-1 \|\| =4.39-2 \|\| =4.39-2~deb13u1 \|\| =4.40-1 \|\| =4.41-1	-
debian 13	libcpanel-json-xs-perl	=4.39-1 \|\| =4.39-2 \|\| =4.39-2~deb13u1 \|\| =4.40-1 \|\| =4.41-1	-
debian 12	libcpanel-json-xs-perl	=4.35-1 \|\| =4.35-1+deb12u1 \|\| =4.36-1 \|\| =4.37-1 \|\| =4.38-1 \|\| =4.39-1 \|\| =4.39-2 \|\| =4.39-2~deb13u1 \|\| =4.40-1 \|\| =4.41-1	-
debian 14	libcpanel-json-xs-perl	=4.39-1 \|\| =4.39-2 \|\| =4.39-2~deb13u1 \|\| =4.40-1 \|\| >=0 <4.41-1	4.41-1

Aliases

1. CVE-2026-93342. NVD-2026-93343. OSV-DEBIAN-2026-93344. OSV-2026-93345. SECURITY-TRACKER-CVE-2026-9334

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.