CVE-2026-9516

Name of the Vulnerable Software and Affected Versions Cpanel::JSON::XS versions prior to 4.41

Description An issue exists where providing input prefixed with a UTF-8 Byte Order Mark (BOM) can lead to a denial of service. When the decode json() function processes a 3-byte UTF-8 BOM, it advances the input scalar's string pointer using SvPV set(). If the decoding process is aborted via a Perl exception—such as when a filter json object callback throws an error—the pointer is not restored. This leaves the scalar with a shortened length and a string pointer offset into its own buffer. Consequently, when the scalar is freed, the allocator receives an invalid pointer, causing the interpreter to abort and crash the caller.

Recommendations Update to version 4.41 or later.