oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-8507: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound (OOB) write flaws

From: Timothy Legge <timlegge () cpansec org>
Date: Sun, 17 May 2026 15:44:39 -0300
========================================================================
CVE-2026-8507                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-8507
  Distribution:  Crypt-OpenSSL-PKCS12
      Versions:  through 1.94

      MetaCPAN:  https://metacpan.org/dist/Crypt-OpenSSL-PKCS12
      VCS Repo:  https://github.com/dsully/perl-crypt-openssl-pkcs12


Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound
(OOB) write flaws

Description
-----------
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound
(OOB) write flaws.

When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT
STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a
heap-OOB-WRITE would be triggered which could have Remote Code
Execution (RCE) potential.

Problem types
-------------
- CWE-787 Out-of-bounds Write

Workarounds
-----------
Do not parse untrusted PKCS12 files via info or info_as_hash.


Solutions
---------
Upgrade to 1.95 or later.


References
----------
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md
https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55
https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/56
https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/b9d0469c6d8f5b5c6c2a45a3d0647a532b749397.patch

Timeline
--------
- 2026-05-13: Issue discovered
- 2026-05-16: Contacted maintainer with the details
- 2026-05-17: Issue disclosed in Github incident
- 2026-05-17: Patched version released by maintainer
Previous By Date Next
Previous By Thread Next

Current thread: