CVE-2026-58102 in Crypt::OpenSSL::X509info

Summary

by MITRE • 07/14/2026

Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts.

When building the extension hash (via extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid()), the code passes OBJ_obj2txt()'s return value as the hash-key length; because that value is the OID's full text length rather than the bytes written to the fixed-size buffer (129 bytes), an OID whose text is longer than the 129-byte buffer causes a read past the allocation, exposing adjacent heap memory as the returned hash key. extensions_by_name() uses the static shortname path and is not affected.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in Crypt::OpenSSL::X509 versions prior to 2.1.3 represents a critical heap out-of-bounds read condition that stems from improper handling of certificate extension object identifiers during hash key construction. This flaw exists within the library's implementation of certificate parsing functions including extensions(), extensions_by_long_name(), extensions_by_oid(), and has_extension_oid() which are commonly used to process X.509 certificate extensions. The vulnerability manifests when processing certificate extensions with particularly long object identifier strings that exceed the allocated buffer size for OID text representation.

The technical root cause involves a fundamental mismatch between the return value of OBJ_obj2txt() function and the expected buffer management during hash key generation. When processing certificate extensions, the code incorrectly utilizes OBJ_obj2txt()'s return value as the hash key length parameter, where this return value represents the complete textual length of the OID rather than the actual number of bytes written to the fixed 129-byte buffer. This discrepancy creates a scenario where OIDs exceeding the buffer capacity trigger memory access beyond allocated boundaries, effectively exposing adjacent heap memory contents.

The operational impact of this vulnerability extends across multiple attack vectors within cryptographic applications that rely on Perl's Crypt::OpenSSL::X509 library for certificate processing. Attackers can exploit this condition by crafting malicious X.509 certificates containing extensions with excessively long OIDs, potentially leading to information disclosure of sensitive heap memory contents including cryptographic keys, session data, or other confidential information stored in adjacent memory regions. The vulnerability affects the core certificate parsing functionality and could compromise applications handling certificate validation, certificate authority operations, or secure communication protocols that utilize this library.

This specific issue maps to CWE-126: Buffer Under-read within the Common Weakness Enumeration framework, representing a variant of heap-based buffer over-read conditions that can expose sensitive data through improper memory access patterns. The vulnerability aligns with ATT&CK technique T1552.004: "Credentials in Files" as it could potentially expose credential material stored in adjacent heap memory regions during certificate processing operations. Additionally, the flaw demonstrates characteristics of T1211: "Exploitation for Defense Evasion" where attackers might use information disclosure to gain insights about system memory layout and application state.

The most effective mitigations involve upgrading to Crypt::OpenSSL::X509 version 2.1.3 or later, which implements proper buffer size validation and correct handling of OID text length calculations during hash key construction. System administrators should also consider implementing certificate validation policies that limit the maximum length of extension OIDs processed by applications, along with regular monitoring for unusual certificate processing patterns that might indicate exploitation attempts. Organizations using this library in security-critical applications should conduct thorough code audits to identify and remediate any similar buffer management issues within their cryptographic processing pipelines, particularly in areas where external certificate data is parsed and stored in memory structures.

Responsible

CPANSec

Reservation

06/29/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00106

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!