CVE-2026-9265 | Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits…

Description

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

Metadata

CVE ID: CVE-2026-9265
State: PUBLISHED
Assigner: CPANSec
Reserved: 2026-05-22 01:38 UTC
Published: 2026-06-20 00:46 UTC
Last updated: 2026-06-20 00:46 UTC
Primary CWE: CWE-125
CWE-125 Out-of-bounds Read
Vendor / Product: JONASBN / Crypt::OpenSSL::PKCS12
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
JONASBN	Crypt::OpenSSL::PKCS12	—	0 < 1.96

Weakness (CWE)

CWE	Source	Description
CWE-125	cna	CWE-125 Out-of-bounds Read

References (3)