CVE-2026-9265: CWE-125 Out-of-bounds Read in JONASBN Crypt::OpenSSL::PKCS12
Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl contain a heap-based out-of-bounds read vulnerability in the print_attribute UTF8STRING path. The function copies an ASN.1 UTF8STRING attribute value into a heap buffer sized exactly to the declared length without a null terminator. Subsequent calls to strlen() on this buffer cause reading beyond the allocated memory, potentially leaking adjacent heap data into a Perl scalar.
AI Analysis
Technical Summary
CVE-2026-9265 is a heap out-of-bounds read vulnerability in Crypt::OpenSSL::PKCS12 versions prior to 1.96. The vulnerability arises in the print_attribute() function, which copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length using strncpy without appending a null terminator. Later, strlen() is called on this non-null-terminated buffer, causing it to read beyond the allocated memory. This results in copying attacker-influenced adjacent heap bytes into a Perl scalar, potentially exposing sensitive memory contents.
Potential Impact
This vulnerability allows an attacker to cause out-of-bounds reads on the heap, potentially leaking sensitive memory contents adjacent to the copied UTF8STRING attribute. There is no indication of remote code execution or denial of service from the provided data. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should upgrade to version 1.96 or later once available. Until then, avoid processing untrusted ASN.1 UTF8STRING attributes with vulnerable versions of Crypt::OpenSSL::PKCS12.
CVE-2026-9265: CWE-125 Out-of-bounds Read in JONASBN Crypt::OpenSSL::PKCS12
Description
Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl contain a heap-based out-of-bounds read vulnerability in the print_attribute UTF8STRING path. The function copies an ASN.1 UTF8STRING attribute value into a heap buffer sized exactly to the declared length without a null terminator. Subsequent calls to strlen() on this buffer cause reading beyond the allocated memory, potentially leaking adjacent heap data into a Perl scalar.
Affected software
pkg:github/Crypt-OpenSSL-PKCS12Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9265 is a heap out-of-bounds read vulnerability in Crypt::OpenSSL::PKCS12 versions prior to 1.96. The vulnerability arises in the print_attribute() function, which copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length using strncpy without appending a null terminator. Later, strlen() is called on this non-null-terminated buffer, causing it to read beyond the allocated memory. This results in copying attacker-influenced adjacent heap bytes into a Perl scalar, potentially exposing sensitive memory contents.
Potential Impact
This vulnerability allows an attacker to cause out-of-bounds reads on the heap, potentially leaking sensitive memory contents adjacent to the copied UTF8STRING attribute. There is no indication of remote code execution or denial of service from the provided data. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should upgrade to version 1.96 or later once available. Until then, avoid processing untrusted ASN.1 UTF8STRING attributes with vulnerable versions of Crypt::OpenSSL::PKCS12.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-22T01:38:26.750Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a35f350daaa79a87dc2cb84
Added to database: 6/20/2026, 1:56:32 AM
Last enriched: 6/20/2026, 2:11:30 AM
Last updated: 6/20/2026, 4:57:48 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.