Executive Summary

CVE-2026-9265 is a security vulnerability in the Perl module Crypt::OpenSSL::PKCS12 versions before 1.96. It involves a heap out-of-bounds (OOB) read in the print_attribute function when handling UTF8STRING ASN.1 attribute values.

The vulnerability arises because print_attribute copies a UTF8STRING attribute value into a heap buffer sized exactly to its declared length using strncpy, but does not add a null terminator. Downstream code then uses strlen() on this buffer, which reads beyond the allocated memory, causing a heap OOB read. This can lead to attacker-controlled adjacent heap bytes being copied into a Perl scalar, potentially exposing sensitive memory or causing undefined behavior.

Additional issues related to missing length guards and buffer size miscalculations for certain attribute types were also identified and fixed in version 1.96.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a heap out-of-bounds read, which may allow an attacker to read adjacent memory contents that should not be accessible. This can result in information disclosure, where sensitive data from the process memory is leaked.

Additionally, the undefined behavior caused by the missing null terminator and improper length handling could potentially be exploited to cause crashes or other unpredictable behavior in applications using the vulnerable module.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-9265 vulnerability, you should update the Crypt::OpenSSL::PKCS12 Perl module to version 1.96 or later, which includes the fix for the heap out-of-bounds read in the print_attribute function.

The update addresses the issue by adding length checks and ensuring proper null-termination of UTF8STRING attributes, preventing buffer overflows and related memory errors.

Applying this update promptly will protect your system from potential exploitation via malformed PKCS12 files.

Useful 0 Not Useful 0