CVE-2026-9334

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys as arrayref is enabled.

decode hv() collapses duplicate object keys into an array reference under dupkeys as arrayref. The branch reached for a duplicate key tests SvTYPE (old value) != SVt RV && SvTYPE (SvRV (old value)) != SVt PVAV, which evaluates SvRV(old value) before establishing that old value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.

A caller decoding untrusted JSON with dupkeys as arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.