CVE-2026-7111
Published: 29 April 2026
Summary
CVE-2026-7111 is a high-severity Use After Free (CWE-416) vulnerability in Hmbrand Text\. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
Text::CSV_XS versions before 1.62 for Perl contain a use-after-free vulnerability (CWE-416, CWE-825) that occurs when registered callbacks, such as after_parse, before_print, or on_error, extend the Perl argument stack during calls to the Parse, print, getline, or getline_all methods. These methods cache the Perl argument stack pointer across the callback invocation; if the callback triggers a stack reallocation by extending it sufficiently, the return value is written through the stale pointer into a freed buffer. The caller then reads the original Text::CSV_XS object as the return value instead of the expected parsed data. Modules used without registered callbacks are unaffected.
A local attacker (AV:L, PR:N, UI:N) can exploit this vulnerability with low complexity (AC:L) to achieve high impacts on confidentiality, integrity, and availability (CVSS 8.4, S:U, C:H/I:H/A:H). By crafting a malicious callback that extends the stack, the attacker induces type confusion or memory corruption, causing calling code expecting parsed CSV data from methods like getline_all to receive the Text::CSV_XS object instead. This leads to logic errors, crashes, or potential further exploitation depending on how the module is integrated into the application.
Advisories recommend upgrading to Text::CSV_XS version 1.62, which addresses the issue via a patch fixing the stack pointer handling (commit c17f31a5f2bf36674748eb4b6e25672f0571a224). The release changes are documented on MetaCPAN, and the vulnerability was disclosed on the oss-security mailing list.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26237
Vulnerability details
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or…
more
on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free with memory corruption/type confusion in local Perl module enables local exploitation for privilege escalation via code execution (T1068) and application crashes for DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the use-after-free flaw in Text::CSV_XS by patching to version 1.62, directly eliminating the vulnerability.
Vulnerability scanning identifies systems running vulnerable Text::CSV_XS versions before exploitation occurs.
Maintains inventory of system components including Perl modules to pinpoint those affected by CVE-2026-7111 for targeted remediation.