CVE-2026-7111 Overview
CVE-2026-7111 is a Use After Free vulnerability affecting Text::CSV_XS versions before 1.62 for Perl. The vulnerability occurs when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption.
The Parse, print, getline, and getline_all methods invoke registered callbacks (such as after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead.
Critical Impact
Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors, crashes, or potential memory corruption that could be exploited for code execution.
Affected Products
- Text::CSV_XS versions before 1.62 for Perl
Discovery Timeline
- 2026-04-25 - Patch released in Text::CSV_XS version 1.62
- 2026-04-29 - CVE CVE-2026-7111 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-7111
Vulnerability Analysis
This vulnerability is classified under CWE-416 (Use After Free). The flaw exists in the XS (C) code that implements the high-performance CSV parsing routines in Text::CSV_XS. When callback functions are registered for events like after_parse, before_print, or on_error, the module caches the Perl stack pointer (SP) before invoking the callback. However, if the callback code causes sufficient stack growth to trigger a reallocation of the underlying stack memory, the cached pointer becomes stale.
The vulnerability requires local access to exploit, as an attacker would need to control the callback registration or influence Perl code execution. The attack complexity is low once an attacker can register malicious callbacks, and no privileges or user interaction are required. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability through memory corruption or type confusion.
Root Cause
The root cause is improper handling of the Perl argument stack across callback invocations in the XS code. The module's internal C code stores a pointer to the Perl stack, invokes user-defined callbacks, and then uses the original pointer to access the return value. If the stack is reallocated during callback execution, this stale pointer references freed memory, causing the use-after-free condition.
Specifically, Text::CSV_XS objects used without any registered callbacks are not affected, as the vulnerable code path is only triggered when callbacks are present.
Attack Vector
An attacker could exploit this vulnerability by:
- Creating or modifying Perl code that uses Text::CSV_XS with registered callbacks
- Designing a callback that deliberately extends the argument stack through operations like pushing many values or calling functions with large argument lists
- Causing the stack reallocation which results in the stale pointer being used
- Leveraging the type confusion where the Text::CSV_XS object is returned instead of parsed data, potentially leading to further memory corruption or code execution
The fix introduces a PUT_RETURN macro that properly refreshes the stack pointer using SPAGAIN before writing the return value:
+#define undef &PL_sv_undef
+#define PUT_RETURN(x)\
+ SPAGAIN;\
+ ST (0) = x;\
+ XSRETURN (1)
Source: GitHub Commit Patch
The SPAGAIN macro refreshes the local stack pointer after a potential reallocation, ensuring the return value is written to valid memory.
Detection Methods for CVE-2026-7111
Indicators of Compromise
- Application crashes or segmentation faults during CSV parsing operations
- Unexpected type confusion errors where code receives Text::CSV_XS objects instead of expected array data
- Memory corruption artifacts in Perl applications using Text::CSV_XS with callbacks
Detection Strategies
- Audit Perl applications for usage of Text::CSV_XS versions prior to 1.62 with registered callbacks (after_parse, before_print, on_error)
- Monitor for unexpected crashes in CSV processing workflows
- Implement runtime checks for return value types from getline_all and similar methods
Monitoring Recommendations
- Track installed Perl module versions across systems using package management tools
- Monitor application logs for unexpected errors or crashes related to CSV parsing
- Implement application-level type validation for return values from CSV parsing functions
How to Mitigate CVE-2026-7111
Immediate Actions Required
- Upgrade Text::CSV_XS to version 1.62 or later immediately
- Audit Perl applications to identify usage of registered callbacks with Text::CSV_XS
- If immediate upgrade is not possible, temporarily remove callback registrations from Text::CSV_XS usage
Patch Information
The vulnerability has been fixed in Text::CSV_XS version 1.62, released on 2026-04-25. The fix addresses the stack corruption issue by properly refreshing the stack pointer after callback invocations. For detailed patch information, see the GitHub Commit Patch and the MetaCPAN Release Changes.
Workarounds
- Remove registered callbacks (after_parse, before_print, on_error) from Text::CSV_XS usage until patched
- Use alternative CSV parsing modules temporarily if callback functionality is not critical
- Implement manual validation of return types from CSV parsing methods to detect potential type confusion
# Upgrade Text::CSV_XS using CPAN
cpan Text::CSV_XS
# Or using cpanm
cpanm Text::CSV_XS@1.62
# Verify installed version
perl -MText::CSV_XS -e 'print $Text::CSV_XS::VERSION'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
