CVE-2026-8507 | THREATINT

Description

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws. When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a heap out-of-bounds write would be triggered with remote-code-execution potential (RCE) due to a signed integer overflow in the size calculation passed to Renew().

PUBLISHED Reserved 2026-05-13 | Published 2026-05-17 | Updated 2026-05-18 | Assigner CPANSec

Problem types

CWE-787 Out-of-bounds Write

Product status

Default status

unaffected

Any version

affected

Timeline

2026-05-13:	Issue discovered
2026-05-16:	Maintainer notified
2026-05-17:	Public disclosure
2026-05-17:	Crypt-OpenSSL-PKCS12 1.95 released.

References

www.openwall.com/lists/oss-security/2026/05/17/5

metacpan.org/...BN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md release-notes

github.com/dsully/perl-crypt-openssl-pkcs12/issues/55 issue-tracking

github.com/dsully/perl-crypt-openssl-pkcs12/issues/56 issue-tracking

github.com/...b9d0469c6d8f5b5c6c2a45a3d0647a532b749397.patch patch

cve.org (CVE-2026-8507)

nvd.nist.gov (CVE-2026-8507)

Download JSON

help @ threatint.eu