CVE-2026-9265
Deferred Deferred - Pending Action

Heap OOB Read in Crypt::OpenSSL::PKCS12 Perl Module

Vulnerability report for CVE-2026-9265, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-20

Last updated on: 2026-06-22

Assigner: CPANSec

Description

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-20
Last Modified
2026-06-22
Generated
2026-07-10
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-9265 is a security vulnerability in the Perl module Crypt::OpenSSL::PKCS12 versions before 1.96. It involves a heap out-of-bounds (OOB) read in the print_attribute function when handling UTF8STRING ASN.1 attribute values.

The vulnerability arises because print_attribute copies a UTF8STRING attribute value into a heap buffer sized exactly to its declared length using strncpy, but does not add a null terminator. Downstream code then uses strlen() on this buffer, which reads beyond the allocated memory, causing a heap OOB read. This can lead to attacker-controlled adjacent heap bytes being copied into a Perl scalar, potentially exposing sensitive memory or causing undefined behavior.

Additional issues related to missing length guards and buffer size miscalculations for certain attribute types were also identified and fixed in version 1.96.

Impact Analysis

This vulnerability can lead to a heap out-of-bounds read, which may allow an attacker to read adjacent memory contents that should not be accessible. This can result in information disclosure, where sensitive data from the process memory is leaked.

Additionally, the undefined behavior caused by the missing null terminator and improper length handling could potentially be exploited to cause crashes or other unpredictable behavior in applications using the vulnerable module.

Mitigation Strategies

To mitigate the CVE-2026-9265 vulnerability, you should update the Crypt::OpenSSL::PKCS12 Perl module to version 1.96 or later, which includes the fix for the heap out-of-bounds read in the print_attribute function.

The update addresses the issue by adding length checks and ensuring proper null-termination of UTF8STRING attributes, preventing buffer overflows and related memory errors.

Applying this update promptly will protect your system from potential exploitation via malformed PKCS12 files.

Detection Guidance

This vulnerability affects the Perl module Crypt::OpenSSL::PKCS12 versions before 1.96, specifically in the print_attribute function handling UTF8STRING attributes. Detection involves identifying if your system uses a vulnerable version of this Perl module.

To detect the vulnerability on your system, you can check the installed version of Crypt::OpenSSL::PKCS12 by running the following Perl command:

  • perl -MCrypt::OpenSSL::PKCS12 -e 'print $Crypt::OpenSSL::PKCS12::VERSION, "\n"'

If the version is earlier than 1.96, your system is potentially vulnerable.

Since the vulnerability is triggered by processing specially crafted PKCS12 files with malformed UTF8STRING attributes, you can also attempt to test the module by processing suspicious or attacker-supplied PKCS12 files using functions like info() or info_as_hash() in scripts that utilize this module, monitoring for crashes or abnormal behavior.

No specific network detection commands or signatures are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart