CVE-2026-8507: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound (OOB) write flaws

CVE-2026-8507: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound (OOB) write flaws Timothy Legge 17 May 2026 18:44 UTC

========================================================================
CVE-2026-8507                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8507
   Distribution:  Crypt-OpenSSL-PKCS12
       Versions:  through 1.94

       MetaCPAN:  https://metacpan.org/dist/Crypt-OpenSSL-PKCS12
       VCS Repo:  https://github.com/dsully/perl-crypt-openssl-pkcs12

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound
(OOB) write flaws

Description
-----------
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound
(OOB) write flaws.

When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT
STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a
heap-OOB-WRITE would be triggered which could have Remote Code
Execution (RCE) potential.

Problem types
-------------
- CWE-787 Out-of-bounds Write

Workarounds
-----------
Do not parse untrusted PKCS12 files via info or info_as_hash.

Solutions
---------
Upgrade to 1.95 or later.

References
----------
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md
https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55
https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/56
https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/b9d0469c6d8f5b5c6c2a45a3d0647a532b749397.patch

Timeline
--------
- 2026-05-13: Issue discovered
- 2026-05-16: Contacted maintainer with the details
- 2026-05-17: Issue disclosed in Github incident
- 2026-05-17: Patched version released by maintainer