{
   "document": {
      "category": "csaf_security_advisory",
      "csaf_version": "2.0",
      "distribution": {
         "tlp": {
            "label": "WHITE",
            "url": "https://www.first.org/tlp/"
         }
      },
      "lang": "en",
      "notes": [
         {
            "category": "description",
            "text": "Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled.  decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.  A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.",
            "title": "Vulnerability Description"
         }
      ],
      "publisher": {
         "category": "other",
         "contact_details": "gdt@cpan.org",
         "name": "giterlizzi",
         "namespace": "https://github.com/giterlizzi/"
      },
      "references": [
         {
            "category": "self",
            "summary": "CPANSA-Cpanel-JSON-XS-2026-9334 JSON",
            "url": "https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-cpanel-json-xs-2026-9334.json"
         },
         {
            "category": "external",
            "summary": "https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2.patch",
            "url": "https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2.patch"
         },
         {
            "category": "external",
            "summary": "https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes",
            "url": "https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes"
         },
         {
            "category": "external",
            "summary": "http://www.openwall.com/lists/oss-security/2026/06/03/4",
            "url": "http://www.openwall.com/lists/oss-security/2026/06/03/4"
         },
         {
            "category": "external",
            "summary": "CVE-2026-9334 (NVD)",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9334"
         }
      ],
      "title": "Cpanel-JSON-XS vulnerability",
      "tracking": {
         "current_release_date": "2026-06-03T00:00:00",
         "generator": {
            "engine": {
               "name": "CSAF Perl Toolkit",
               "version": "0.26"
            }
         },
         "id": "CPANSA-Cpanel-JSON-XS-2026-9334",
         "initial_release_date": "2026-06-03T00:00:00",
         "revision_history": [
            {
               "date": "2026-06-03T00:00:00",
               "number": "1",
               "summary": "First release"
            }
         ],
         "status": "final",
         "version": "1"
      }
   },
   "product_tree": {
      "branches": [
         {
            "branches": [
               {
                  "category": "product_version_range",
                  "name": "vers:cpan/<4.41",
                  "product": {
                     "name": "Cpanel-JSON-XS less than 4.41",
                     "product_id": "CSAFPID-0001",
                     "product_identification_helper": {
                        "purl": "pkg:cpan/Cpanel-JSON-XS"
                     }
                  }
               },
               {
                  "category": "product_version_range",
                  "name": "vers:cpan/>=4.41",
                  "product": {
                     "name": "Cpanel-JSON-XS greater than or equal 4.41",
                     "product_id": "CSAFPID-0002",
                     "product_identification_helper": {
                        "purl": "pkg:cpan/Cpanel-JSON-XS"
                     }
                  }
               }
            ],
            "category": "product_name",
            "name": "Cpanel-JSON-XS"
         }
      ]
   },
   "vulnerabilities": [
      {
         "cve": "CVE-2026-9334",
         "cwe": {
            "id": "CWE-843",
            "name": "Access of Resource Using Incompatible Type ('Type Confusion')"
         },
         "notes": [
            {
               "category": "description",
               "text": "Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled.\n\ndecode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.\n\nA caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.",
               "title": "Vulnerability Description"
            }
         ],
         "product_status": {
            "fixed": [
               "CSAFPID-0002"
            ],
            "known_affected": [
               "CSAFPID-0001"
            ]
         },
         "scores": [
            {
               "cvss_v3": {
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
               },
               "products": [
                  "CSAFPID-0001"
               ]
            }
         ]
      }
   ]
}