CVE-2026-58101

NameCVE-2026-58101
DescriptionCrypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference. X509V3_EXT_d2i(ext) returns NULL when an extension's DER value fails to parse. basicC, ia5string, and auth_att dereference its result without a NULL check. keyid_data also dereferences akid->keyid, which is NULL for an empty AKI SEQUENCE (DER 30 00) even when the parse succeeds. A caller invoking an affected helper on an extension from an untrusted certificate triggers a SIGSEGV that crashes the Perl process.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1142034

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcrypt-openssl-x509-perl (PTS)bullseye1.9.02-1vulnerable
bookworm1.9.14-2vulnerable
trixie2.0.1-1vulnerable
forky2.1.2-1vulnerable
sid2.1.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcrypt-openssl-x509-perlsource(unstable)2.1.3-11142034

Notes

https://lists.security.metacpan.org/cve-announce/msg/41792358/
Fixed by: https://github.com/dsully/perl-crypt-openssl-x509/commit/4c1e2370556097c253ae27abe9e1097ea377fbd2 (2.1.3)

Search for package or bug name: Reporting problems