CVE Catalog

CVE-2026-9265

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile — higher than 27% of all known CVEs

Summary

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl allow a heap OOB read in print_attribute for UTF8STRING attributes. The print_attribute() function copies an ASN.1 attribute value into a memory buffer without adding a NUL terminator, leading to unsafe reads of adjacent bytes.

Risk Assessment

An attacker could exploit this vulnerability to read memory data, potentially leading to the disclosure of sensitive information or unauthorized code execution.

Recommendation

It is recommended to upgrade to Crypt::OpenSSL::PKCS12 version 1.96 or later to mitigate this vulnerability.

Original NVD description (English source)

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS