Heap Out of Bounds Read in Crypt::OpenSSL::PKCS12 for Perl
CVE-2026-9265

Currently unrated

Key Information:

Vendor

Jonasbn

Status
Crypt::OpenSSL::pkcs12
Vendor
CVE Published:
20 June 2026

What is CVE-2026-9265?

Crypt::OpenSSL::PKCS12 versions prior to 1.96 for Perl has a vulnerability wherein the print_attribute() function improperly handles UTF8STRING ASN.1 attributes, leading to a heap out-of-bounds read. The function utilizes strncpy to copy attribute values into a heap buffer defined by the exact length of the input, which results in the absence of a NUL terminator. This oversight allows downstream functions, such as strlen(), to read beyond the intended buffer, leading to potential information disclosure by accessing adjacent heap memory that's influenced by an attacker. It’s crucial for users to update to the patched version to mitigate risks associated with this vulnerability.

Affected Version(s)

Crypt::OpenSSL::PKCS12 0 < 1.96

References

https://github.com/dsully/perl-crypt-openssl-pkcs12/issue...
issue-tracking
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12...
release-notes
https://github.com/dsully/perl-crypt-openssl-pkcs12/commi...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.