Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound (OOB) write flaws.
When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a heap-OOB-WRITE would be triggered which could have Remote Code Execution (RCE) potential.
AnalysisAI
Heap out-of-bounds write in the Crypt::OpenSSL::PKCS12 Perl module (versions up to and including 1.94) allows attackers who can supply a malicious PKCS12 file processed via info() or info_as_hash() to corrupt heap memory and potentially achieve remote code execution. The flaw stems from an integer overflow when an OCTET STRING or BIT STRING attribute on a SAFEBAG is >= 1 GiB in size, causing an undersized allocation followed by an OOB write. No public exploit identified at time of analysis, but the upstream patch and oss-security disclosure are public.
Technical ContextAI
Crypt::OpenSSL::PKCS12 is a Perl XS binding around OpenSSL's PKCS#12 parsing routines, used to read keystore-style files containing certificates, private keys, and metadata attributes attached to SAFEBAG structures. The flaw is a classic CWE-787 (Out-of-bounds Write) caused by an unchecked integer multiplication in PKCS12.xs::print_attribute(): the code performed Renew(*attribute, av->value.octet_string->length * 4, char) (and the analogous BIT STRING branch) where length is a signed int. When length is >= ~1 GiB, the multiplication by 4 overflows INT_MAX, the allocator receives a wrapped/small size, and subsequent copies of the original (huge) string overflow the heap buffer. The fix in commit b9d04 (released as 1.95) adds explicit bounds checks against INT_MAX/4 and croaks before allocation.
RemediationAI
Vendor-released patch: upgrade Crypt::OpenSSL::PKCS12 to 1.95 or later from CPAN (cpanm Crypt::OpenSSL::PKCS12), which adds INT_MAX/4 bounds checks on OCTET STRING and BIT STRING attribute lengths before the Renew() call per commit b9d0469c6d8f5b5c6c2a45a3d0647a532b749397. Where immediate upgrade is not possible, avoid calling info() or info_as_hash() on PKCS12 files originating from untrusted sources, or pre-validate that input files are not pathologically large (a 1 GiB+ PKCS12 is extremely unusual in practice, so rejecting files above a few MB is a low-impact compensating control). Audit downstream Perl applications and packaged distributions (Linux distro perl-Crypt-OpenSSL-PKCS12 packages) for transitive use, and consult the oss-security disclosure at http://www.openwall.com/lists/oss-security/2026/05/17/5 and VulDB entry https://vuldb.com/vuln/364432 for additional context.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30708
GHSA-3qmj-qw66-fwx8