How is CVE-2026-9265 exploited?

Network reachability (required): The vulnerable code is exposed over the network; an attacker can deliver a crafted PKCS12 file to the target service without needing local access. Authentication (not-required): No credentials are needed; any unauthenticated party that can supply a PKCS12 input to the application can trigger the flaw. Victim interaction (not-required): No user action is required beyond the service processing the attacker-supplied PKCS12 file in its normal operation. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required.

What is the impact of CVE-2026-9265?

Reads adjacent heap bytes that may contain in-process secrets such as private keys, session tokens, or decrypted plaintext from other PKCS12 operations. Leaks the exfiltrated heap content into a Perl scalar that downstream application code may log, serialize, or return in an API response. Causes a process crash when strlen() walks past valid heap memory, disrupting availability of any service that parses PKCS12 inputs. No write primitive is present in this path, so persistent data integrity is not directly affected by this vulnerability.

Back to search

CRITICALCVE-2026-9265Published 2026-06-20Modified 2026-06-22CNA CPANSec

CVE-2026-9265: Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 1.96
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap out-of-bounds read affects Crypt::OpenSSL::PKCS12 for Perl in all versions before 1.96. The flaw is reachable over the network without authentication: a crafted PKCS12 file triggers the vulnerable print_attribute() code path, which copies a UTF8STRING ASN.1 value into a heap buffer without a NUL terminator, then passes an inflated length to newSVpvn(), leaking adjacent heap bytes into a Perl scalar. Successful exploitation reads sensitive memory contents and can crash the affected process. A patched-image rebuild at version 1.96 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CPANSec advisories) within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle the affected Perl module.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and surfaces it with per-environment compliance policy weighting to ensure it routes to the appropriate team inbox inside each customer org.

Available

Patch

A patched-image rebuild pinned to Crypt::OpenSSL::PKCS12 version 1.96 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable code is exposed over the network; an attacker can deliver a crafted PKCS12 file to the target service without needing local access.
AuthenticationNot required
No credentials are needed; any unauthenticated party that can supply a PKCS12 input to the application can trigger the flaw.
Victim interactionNot required
No user action is required beyond the service processing the attacker-supplied PKCS12 file in its normal operation.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required.

Blast Radius

Reads adjacent heap bytes that may contain in-process secrets such as private keys, session tokens, or decrypted plaintext from other PKCS12 operations.
Leaks the exfiltrated heap content into a Perl scalar that downstream application code may log, serialize, or return in an API response.
Causes a process crash when strlen() walks past valid heap memory, disrupting availability of any service that parses PKCS12 inputs.
No write primitive is present in this path, so persistent data integrity is not directly affected by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: images containing Crypt::OpenSSL::PKCS12 versions before 1.96 are flagged as soon as a scan matches the CVE, which is ingested within minutes of publication. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 1.96, runs regression tests, and opens a PR against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before merging, the rebuild is queued and the PR is held for approval. Because this is a critical-severity memory-disclosure issue with no authentication barrier, customers are encouraged to prioritize remediation or, as a compensating control, apply network policy to restrict which services can submit PKCS12 inputs to the affected application until the patched image is deployed.

See how HarborGuard automates this

Fix available

1.96

Patch commits

github.com

Affected packages

JONASBN / Crypt::OpenSSL::PKCS12
< 1.96 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available