CVE-2026-9334

Name of the Vulnerable Software and Affected Versions Cpanel::JSON::XS versions prior to 4.41

Description Type confusion occurs when dupkeys as arrayref is enabled, allowing duplicate object keys to cause a crash. The decode hv() function collapses duplicate keys into an array reference; however, it performs a dereference operation on old value before confirming it is actually a reference. If the existing value is a plain scalar, the system attempts to dereference a non-reference scalar using a pointer derived from attacker-controlled content.

Recommendations Update to version 4.41 or later. As a temporary workaround, disable the dupkeys as arrayref option when decoding untrusted JSON.