CVE-2026-58101 in Crypt::OpenSSL::X509info

Summary

by MITRE • 07/14/2026

Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference.

X509V3_EXT_d2i(ext) returns NULL when an extension's DER value fails to parse. basicC, ia5string, and auth_att dereference its result without a NULL check. keyid_data also dereferences akid->keyid, which is NULL for an empty AKI SEQUENCE (DER 30 00) even when the parse succeeds.

A caller invoking an affected helper on an extension from an untrusted certificate triggers a SIGSEGV that crashes the Perl process.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in Crypt::OpenSSL::X509 versions prior to 2.1.3 represents a critical denial of service weakness that stems from inadequate null pointer validation during X.509 certificate extension parsing operations. This flaw manifests when processing extensions with malformed DER values, creating conditions where the software attempts to dereference NULL pointers without proper validation checks. The vulnerability specifically affects the X509V3_EXT_d2i function which returns NULL when extension DER values fail to parse correctly, yet downstream code components fail to verify this return value before proceeding with pointer dereferences.

The technical implementation of this vulnerability involves multiple code paths that assume successful parsing outcomes without proper defensive programming. The basicC, ia5string, and auth_att helper functions directly dereference the result from X509V3_EXT_d2i without checking for NULL returns, creating immediate crash conditions when malformed extensions are encountered. Additionally, keyid_data function exhibits similar behavior by dereferencing akid->keyid where the keyid field can be NULL even when the overall parse operation succeeds, specifically occurring with empty AKI SEQUENCE structures represented as DER 30 00. This particular scenario demonstrates how even seemingly valid parsing operations can produce NULL pointer conditions in edge cases involving empty sequence structures.

The operational impact of this vulnerability extends beyond simple denial of service to potentially compromise entire Perl applications that rely on certificate processing functionality. When an attacker crafts a malicious certificate containing specifically malformed extensions, they can trigger SIGSEGV signals that terminate the Perl process abruptly. This makes the vulnerability particularly dangerous in web applications or services where certificate validation occurs automatically during TLS handshakes or certificate chain verification processes. The attack vector requires only that a caller invoke one of the affected helper functions on an extension extracted from an untrusted certificate, making it relatively easy to exploit in practice.

From a cybersecurity framework perspective, this vulnerability maps directly to CWE-476 which describes NULL Pointer Dereference conditions in software implementations. The flaw also aligns with ATT&CK technique T1593 which involves reconnaissance activities targeting application vulnerabilities, and T1499 which covers network denial of service attacks. Organizations utilizing Perl applications that process untrusted X.509 certificates must address this vulnerability through immediate patching to Crypt::OpenSSL::X509 version 2.1.3 or later. The recommended mitigation strategy involves implementing comprehensive input validation and null pointer checks throughout the certificate parsing pipeline, particularly around extension handling functions that directly interact with OpenSSL's X.509 extension APIs. Additionally, organizations should consider implementing application-level sandboxing or containerization strategies to limit the impact of potential exploitation attempts while awaiting patch deployment.

The broader implications of this vulnerability highlight systemic issues in cryptographic library implementations where defensive programming practices are insufficiently applied during certificate parsing operations. The flaw demonstrates how seemingly minor coding oversights in error handling can create severe operational impacts, particularly when dealing with untrusted input data such as X.509 certificates. This vulnerability serves as a reminder of the critical importance of robust null pointer validation in security-sensitive code paths and the necessity of thorough testing against malformed input conditions before deployment in production environments.

Responsible

CPANSec

Reservation

06/29/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00106

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!