CVE-2026-7111

Name of the Vulnerable Software and Affected Versions Text::CSV XS versions prior to 1.62

Description A use-after-free issue exists when registered callbacks extend the Perl argument stack, potentially leading to type confusion or memory corruption. The Parse, print, getline, and getline all methods invoke registered callbacks, such as after parse, before print, or on error, and cache the Perl argument stack pointer. If a callback triggers a reallocation by extending the stack, the return value is written through a stale pointer into a freed buffer. Consequently, the caller may receive the original $self argument instead of the expected parsed data, resulting in logic errors or crashes. This issue does not affect objects used without registered callbacks.

Recommendations Update to version 1.62 or later. As a temporary workaround, avoid using registered callbacks in the Parse, print, getline, and getline all methods.