CVE-2026-8507: Crypt::OpenSSL::PKCS12 RCE Vulnerability

CVE-2026-8507 Overview

CVE-2026-8507 is a heap out-of-bounds write vulnerability in the Crypt::OpenSSL::PKCS12 Perl module through version 1.94. The flaw resides in the attribute parsing routines invoked by info() and info_as_hash() when processing a PKCS12 file. A crafted PKCS12 input containing a >= 1 GiBOCTET STRING or BIT STRING attribute on a SAFEBAG triggers a signed integer overflow in the size calculation passed to the Renew() allocator. The resulting undersized allocation followed by an oversized copy produces a heap out-of-bounds write with remote code execution potential. The issue is tracked as [CWE-787].

Critical Impact
Remote attackers can trigger a heap out-of-bounds write by supplying a malicious PKCS12 file, enabling potential remote code execution in any Perl application that parses untrusted PKCS12 input.

Affected Products

Crypt::OpenSSL::PKCS12 for Perl, versions through 1.94
Perl applications and services invoking info() or info_as_hash() on untrusted PKCS12 input
Distributions and pipelines bundling the affected CPAN module

Discovery Timeline

2026-05-17 - CVE-2026-8507 published to the National Vulnerability Database (NVD)
2026-05-17 - Public disclosure on the OpenWall OSS-Security mailing list
2026-05-18 - Last updated in NVD database

Technical Details for CVE-2026-8507

Vulnerability Analysis

The vulnerability resides in print_attribute inside PKCS12.xs. When the module encounters an OCTET STRING attribute on a SAFEBAG, it calls Renew(*attribute, av->value.octet_string->length * 4, char) to resize the destination buffer. The multiplication is performed on a signed int, so any length value at or above INT_MAX / 4 (roughly 536 MiB) overflows and produces a small or negative size. Renew() allocates that truncated size, and the subsequent get_hex() call writes the full attribute payload into the undersized heap buffer.

An attacker who controls the PKCS12 file controls both the attribute length field and the attribute payload, giving them precise control over the OOB write. PKCS12 parsing is commonly performed on attacker-supplied input in certificate handling, mail processing, and identity workflows, which makes the attack surface broad.

Root Cause

The root cause is an unchecked signed integer multiplication used as an allocation size [CWE-787]. The code trusted the ASN.1-decoded length field without bounding it against INT_MAX / 4 or rejecting negative values.

Attack Vector

Exploitation requires no authentication and no user interaction beyond convincing the target application to parse a malicious PKCS12 blob. Delivery vectors include PKCS12 uploads to TLS or signing services, email attachments, and certificate import workflows.

text

// Source: https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/b9d0469c6d8f5b5c6c2a45a3d0647a532b749397.patch
// Patch for print_attribute in PKCS12.xs
   case V_ASN1_OCTET_STRING:
     if(*attribute != NULL) {
-      Renew(*attribute, av->value.octet_string->length * 4, char);
+      if (av->value.octet_string->length < 0 ||
+          av->value.octet_string->length > INT_MAX / 4)
+        croak("OCTET STRING attribute length out of range (got %d)",
+              av->value.octet_string->length);
+      Renew(*attribute, (size_t)av->value.octet_string->length * 4, char);
       get_hex(*attribute, av->value.octet_string->data, av->value.octet_string->length);
     } else {
       hex_prin(out, av->value.octet_string->data,

The patch adds explicit bounds checking before the allocation, rejecting negative lengths and values that would overflow when multiplied by 4, and casts to size_t for the safe path.

Detection Methods for CVE-2026-8507

Indicators of Compromise

Perl processes loading Crypt::OpenSSL::PKCS12 at a version <= 1.94 while parsing externally sourced .p12 or .pfx files
Crashes, SIGSEGV, or heap corruption messages from Perl workers handling PKCS12 input
PKCS12 files larger than 1 GiB or containing oversized SAFEBAG attribute fields delivered to certificate import endpoints

Detection Strategies

Inventory CPAN dependencies across servers and CI/CD images and flag any Crypt-OpenSSL-PKCS12 release prior to 1.95
Inspect ASN.1 length fields in PKCS12 uploads at the application or proxy layer and reject OCTET STRING or BIT STRING attributes exceeding a sane bound
Add file-size and content-type checks on certificate upload endpoints to drop oversized PKCS12 payloads before they reach the parser

Monitoring Recommendations

Alert on unexpected crashes or restarts of services that invoke info() or info_as_hash() on untrusted PKCS12 data
Monitor outbound network connections initiated by certificate-handling workers, which would indicate post-exploitation activity
Centralize Perl application logs and watch for croak messages referencing OCTET STRING attribute length out of range after patching, which indicate attempted exploitation

How to Mitigate CVE-2026-8507

Immediate Actions Required

Upgrade Crypt::OpenSSL::PKCS12 to version 1.95 or later on all systems, including container images and offline build agents
Audit applications that call info() or info_as_hash() and restrict those code paths to authenticated, trusted input until patching is complete
Enforce strict size limits on PKCS12 uploads at the reverse proxy or application gateway

Patch Information

The fix is shipped in Crypt-OpenSSL-PKCS121.95, published on CPAN. The upstream change is documented in the MetaCPAN release notes and applied in the GitHub commit patch. Additional context is available in GitHub Issue #55 and GitHub Issue #56.

Workarounds

Reject PKCS12 files larger than a sane threshold (for example, 10 MiB) at the upload layer before any Perl parsing occurs
Avoid calling info() or info_as_hash() on attacker-controlled PKCS12 input until the module is upgraded to 1.95
Run Perl certificate-parsing workers as unprivileged users inside isolated containers to limit the blast radius of a successful exploit

bash

# Configuration example: upgrade the affected CPAN module and verify version
cpanm Crypt::OpenSSL::PKCS12@1.95
perl -MCrypt::OpenSSL::PKCS12 -e 'print $Crypt::OpenSSL::PKCS12::VERSION, "\n"'

# Nginx example: cap PKCS12 upload size on the certificate import endpoint
location /certificates/import {
    client_max_body_size 10m;
    proxy_pass http://perl_backend;
}

CVE-2026-8507 Overview

Critical Impact
Remote attackers can trigger a heap out-of-bounds write by supplying a malicious PKCS12 file, enabling potential remote code execution in any Perl application that parses untrusted PKCS12 input.

Affected Products

Crypt::OpenSSL::PKCS12 for Perl, versions through 1.94
Perl applications and services invoking info() or info_as_hash() on untrusted PKCS12 input
Distributions and pipelines bundling the affected CPAN module

Discovery Timeline

2026-05-17 - CVE-2026-8507 published to the National Vulnerability Database (NVD)
2026-05-17 - Public disclosure on the OpenWall OSS-Security mailing list
2026-05-18 - Last updated in NVD database

Technical Details for CVE-2026-8507

Vulnerability Analysis

Root Cause

Attack Vector

text

// Source: https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/b9d0469c6d8f5b5c6c2a45a3d0647a532b749397.patch
// Patch for print_attribute in PKCS12.xs
   case V_ASN1_OCTET_STRING:
     if(*attribute != NULL) {
-      Renew(*attribute, av->value.octet_string->length * 4, char);
+      if (av->value.octet_string->length < 0 ||
+          av->value.octet_string->length > INT_MAX / 4)
+        croak("OCTET STRING attribute length out of range (got %d)",
+              av->value.octet_string->length);
+      Renew(*attribute, (size_t)av->value.octet_string->length * 4, char);
       get_hex(*attribute, av->value.octet_string->data, av->value.octet_string->length);
     } else {
       hex_prin(out, av->value.octet_string->data,

The patch adds explicit bounds checking before the allocation, rejecting negative lengths and values that would overflow when multiplied by 4, and casts to size_t for the safe path.

Detection Methods for CVE-2026-8507

Indicators of Compromise

Perl processes loading Crypt::OpenSSL::PKCS12 at a version <= 1.94 while parsing externally sourced .p12 or .pfx files
Crashes, SIGSEGV, or heap corruption messages from Perl workers handling PKCS12 input
PKCS12 files larger than 1 GiB or containing oversized SAFEBAG attribute fields delivered to certificate import endpoints

Detection Strategies

Inventory CPAN dependencies across servers and CI/CD images and flag any Crypt-OpenSSL-PKCS12 release prior to 1.95
Inspect ASN.1 length fields in PKCS12 uploads at the application or proxy layer and reject OCTET STRING or BIT STRING attributes exceeding a sane bound
Add file-size and content-type checks on certificate upload endpoints to drop oversized PKCS12 payloads before they reach the parser

Monitoring Recommendations

Alert on unexpected crashes or restarts of services that invoke info() or info_as_hash() on untrusted PKCS12 data
Monitor outbound network connections initiated by certificate-handling workers, which would indicate post-exploitation activity
Centralize Perl application logs and watch for croak messages referencing OCTET STRING attribute length out of range after patching, which indicate attempted exploitation

How to Mitigate CVE-2026-8507

Immediate Actions Required

Upgrade Crypt::OpenSSL::PKCS12 to version 1.95 or later on all systems, including container images and offline build agents
Audit applications that call info() or info_as_hash() and restrict those code paths to authenticated, trusted input until patching is complete
Enforce strict size limits on PKCS12 uploads at the reverse proxy or application gateway

Patch Information

Workarounds

Reject PKCS12 files larger than a sane threshold (for example, 10 MiB) at the upload layer before any Perl parsing occurs
Avoid calling info() or info_as_hash() on attacker-controlled PKCS12 input until the module is upgraded to 1.95
Run Perl certificate-parsing workers as unprivileged users inside isolated containers to limit the blast radius of a successful exploit

bash

# Configuration example: upgrade the affected CPAN module and verify version
cpanm Crypt::OpenSSL::PKCS12@1.95
perl -MCrypt::OpenSSL::PKCS12 -e 'print $Crypt::OpenSSL::PKCS12::VERSION, "\n"'

# Nginx example: cap PKCS12 upload size on the certificate import endpoint
location /certificates/import {
    client_max_body_size 10m;
    proxy_pass http://perl_backend;
}

CVE-2026-8507: Crypt::OpenSSL::PKCS12 RCE Vulnerability

CVE-2026-8507 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-8507

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-8507

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-8507

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-8507: Crypt::OpenSSL::PKCS12 RCE Vulnerability

CVE-2026-8507 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-8507

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-8507

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-8507

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform