Back

Critical DoS Vulnerabilities in perl-Cpanel-JSON-XS Affect Fedora Users

Severity: High (Score: 70.5)

Sources: Linuxsecurity

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: fedora, perl-cpanel-json-xs, update, addresses, number, bugs, including

Severity indicators: bug, rat

Summary

Fedora has released updates for the perl-Cpanel-JSON-XS package addressing critical Denial of Service (DoS) vulnerabilities identified as CVE-2026-9516 and CVE-2026-9334. These vulnerabilities can be exploited through malformed JSON input, leading to application crashes. The issues were published on June 3, 2026, and affect users of Fedora 43 and 44. The updates fix a BOM-shift PV-corruption SIGABRT and a type confusion with duplicate JSON object keys. Users are advised to apply the updates using the 'dnf' package manager. The vulnerabilities were confirmed by Fedora Release Engineering and are considered significant due to their potential impact on system stability. The updates were made available on May 28, 2026. Key Points: • Fedora updates address critical DoS vulnerabilities in perl-Cpanel-JSON-XS. • CVE-2026-9516 and CVE-2026-9334 can lead to application crashes via malformed JSON. • Users are urged to apply the updates immediately using the 'dnf' package manager.

Detailed Analysis

**Impact** Fedora users running versions 43 and 44 are affected by critical and moderate Denial of Service (DoS) vulnerabilities in the perl-Cpanel-JSON-XS library. These vulnerabilities can cause application crashes, potentially disrupting services that rely on JSON parsing. No specific sectors, geographies, or data breach details are provided in the sources. **Technical Details** Two DoS vulnerabilities are identified: CVE-2026-9516, triggered by UTF-8 BOM prefixed input causing PV-corruption and SIGABRT crashes, and CVE-2026-9334, a type confusion issue caused by duplicate JSON object keys. Exploitation occurs during JSON parsing, leading to application termination. No malware, tools, or infrastructure details are mentioned. The attack targets the execution and impact stages of the kill chain. **Recommended Response** Apply the perl-Cpanel-JSON-XS updates available for Fedora 43 (advisory FEDORA-2026-d88c7fac8c) and Fedora 44 (advisory FEDORA-2026-0a82e80353) using the "dnf" package manager immediately. Monitor application logs for crashes related to JSON parsing errors. No additional detection or mitigation indicators are provided in the articles.

Source articles (2)

  • Fedora 43 perl-Cpanel-JSON-XS Critical DoS Fix FEDORA-2026 — Linuxsecurity · 2026-06-05
    This update addresses a number of bugs including these security issues: Fix BOM-shift PV-corruption SIGABRT (CVE-2026-9516) Fix dupkeys_as_arrayref type confusion (CVE-2026-9334) * Thu May 28 2026 Pau…
  • Fedora 44 perl-Cpanel-JSON-XS Moderate Denial of Service CVE-2026 — Linuxsecurity · 2026-06-05
    This update addresses a number of bugs including these security issues: Fix BOM-shift PV-corruption SIGABRT (CVE-2026-9516) Fix dupkeys_as_arrayref type confusion (CVE-2026-9334) * Thu May 28 2026 Pau…

Timeline

  • 2026-05-28 — Fedora updates released: Updates for perl-Cpanel-JSON-XS addressing critical DoS vulnerabilities were released by Paul Howarth.
  • 2026-06-03 — CVE-2026-9334 published: Denial of Service via type confusion with duplicate JSON object keys reported for perl-Cpanel-JSON-XS.
  • 2026-06-03 — CVE-2026-9516 published: Denial of Service via UTF-8 BOM prefixed input reported for perl-Cpanel-JSON-XS.

CVEs

  • CVE-2026-9334
  • CVE-2026-9516

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-843 - Type Confusion (Cwe)
  • Linux (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed