CVE-2026-7111
Description
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 1.62-1 |
| debian | sid | fixed | 1.62-1 |
| debian | trixie | fixed | 1.60-1+deb13u1 |
| sles | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| hmbrand | text\ | {"endExcluding":"1.62"} | 1.62 |
References
- https://github.com/cpan-authors/Text-CSV_XS/commit/c17f31a5f2bf36674748eb4b6e25672f0571a224.patch
- https://metacpan.org/release/HMBRAND/Text-CSV_XS-1.62/changes
- http://www.openwall.com/lists/oss-security/2026/04/29/17
- https://security-tracker.debian.org/tracker/CVE-2026-7111
- https://www.suse.com/security/cve/CVE-2026-7111.html
CWEs
CWE-416 CWE-825
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.