CVE-2026-9265
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl allow a heap OOB read in print_attribute for UTF8STRING attributes. The print_attribute() function copies an ASN.1 attribute value into a memory buffer without adding a NUL terminator, leading to unsafe reads of adjacent bytes.
Risk Assessment
An attacker could exploit this vulnerability to read memory data, potentially leading to the disclosure of sensitive information or unauthorized code execution.
Recommendation
It is recommended to upgrade to Crypt::OpenSSL::PKCS12 version 1.96 or later to mitigate this vulnerability.
Original NVD description (English source)
Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

