CVE-2026-8507

NameCVE-2026-8507
DescriptionCrypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws. When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a heap out-of-bounds write would be triggered with remote-code-execution potential (RCE) due to a signed integer overflow in the size calculation passed to Renew().
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcrypt-openssl-pkcs12-perl (PTS)bullseye1.3-1vulnerable
forky, sid, trixie1.94-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcrypt-openssl-pkcs12-perlsource(unstable)(unfixed)

Notes

https://lists.security.metacpan.org/cve-announce/msg/40149247/
https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55
https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/56
Fixed by: https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/b9d0469c6d8f5b5c6c2a45a3d0647a532b749397
Search for package or bug name: Reporting problems