CVE-2026-7111
Published: 29 April 2026
Summary
CVE-2026-7111 is a high-severity Use After Free (CWE-416) vulnerability in Hmbrand Text\. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the use-after-free flaw in Text::CSV_XS by patching to version 1.62, directly eliminating the vulnerability.
Vulnerability scanning identifies systems running vulnerable Text::CSV_XS versions before exploitation occurs.
Maintains inventory of system components including Perl modules to pinpoint those affected by CVE-2026-7111 for targeted remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free with memory corruption/type confusion in local Perl module enables local exploitation for privilege escalation via code execution (T1068) and application crashes for DoS (T1499.004).
NVD Description
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or…
more
on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
Deeper analysisAI
Text::CSV_XS versions before 1.62 for Perl contain a use-after-free vulnerability (CWE-416, CWE-825) that occurs when registered callbacks, such as after_parse, before_print, or on_error, extend the Perl argument stack during calls to the Parse, print, getline, or getline_all methods. These methods cache the Perl argument stack pointer across the callback invocation; if the callback triggers a stack reallocation by extending it sufficiently, the return value is written through the stale pointer into a freed buffer. The caller then reads the original Text::CSV_XS object as the return value instead of the expected parsed data. Modules used without registered callbacks are unaffected.
A local attacker (AV:L, PR:N, UI:N) can exploit this vulnerability with low complexity (AC:L) to achieve high impacts on confidentiality, integrity, and availability (CVSS 8.4, S:U, C:H/I:H/A:H). By crafting a malicious callback that extends the stack, the attacker induces type confusion or memory corruption, causing calling code expecting parsed CSV data from methods like getline_all to receive the Text::CSV_XS object instead. This leads to logic errors, crashes, or potential further exploitation depending on how the module is integrated into the application.
Advisories recommend upgrading to Text::CSV_XS version 1.62, which addresses the issue via a patch fixing the stack pointer handling (commit c17f31a5f2bf36674748eb4b6e25672f0571a224). The release changes are documented on MetaCPAN, and the vulnerability was disclosed on the oss-security mailing list.
Details
- CWE(s)