Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-58102: CWE-125 Out-of-bounds Read in JONASBN Crypt::OpenSSL::X509

0
Medium
VulnerabilityCVE-2026-58102cvecve-2026-58102cwe-125
Published: 07/13/2026 (07/13/2026, 22:22:48 UTC)
Source: CVE Database V5
Vendor/Project: JONASBN
Product: Crypt::OpenSSL::X509

Description

Crypt::OpenSSL::X509 versions before 2.1.3 for Perl contain a heap out-of-bounds read vulnerability triggered by a long certificate extension OID in the hv_exts hash. The issue arises because the code uses the full text length of the OID as the hash key length, which can exceed the fixed buffer size of 129 bytes, causing a read beyond the allocated memory. This vulnerability affects functions that build the extension hash using the long OID text but does not affect extensions_by_name() which uses a shortname path.

Affected software

GitHub Actionsmore threats →cve
Crypt-OpenSSL-X509
pkg:github/Crypt-OpenSSL-X509
Affected versions
<2.1.3

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 22:47:28 UTC

Technical Analysis

CVE-2026-58102 is a heap out-of-bounds read vulnerability in Crypt::OpenSSL::X509 versions prior to 2.1.3. The flaw occurs when processing certificate extension OIDs longer than 129 bytes. The code incorrectly uses the full OID text length returned by OBJ_obj2txt() as the hash key length, leading to reading beyond the fixed-size buffer and exposing adjacent heap memory. This affects the extensions(), extensions_by_long_name(), extensions_by_oid(), and has_extension_oid() functions. The extensions_by_name() function is not vulnerable as it uses a different code path.

Potential Impact

This vulnerability can lead to disclosure of adjacent heap memory contents due to out-of-bounds reads when handling long certificate extension OIDs. There is no indication of code execution or other impacts. No known exploits are reported in the wild. The exposure of heap memory could potentially leak sensitive information depending on the context in which the library is used.

Mitigation Recommendations

No official fix or patch is currently confirmed. Users should upgrade to Crypt::OpenSSL::X509 version 2.1.3 or later once available. Until then, avoid processing certificates with unusually long extension OIDs or use the extensions_by_name() function which is not affected. Monitor the vendor advisory for updates on remediation.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
CPANSec
Date Reserved
2026-06-29T06:35:04.718Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a5567a468715ace43fd6a49

Added to database: 07/13/2026, 22:33:08 UTC

Last enriched: 07/13/2026, 22:47:28 UTC

Last updated: 07/14/2026, 00:18:03 UTC

Views: 8

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses