CVE-2026-58102
JONASBN · Crypt::OpenSSL::X509
Crypt::OpenSSL::X509 for Perl is vulnerable to a heap out-of-bounds read via a long certificate extension OID, potentially leading to sensitive information disclosure.
Executive summary
A critical out-of-bounds read vulnerability in JONASBN Crypt::OpenSSL::X509 allows unauthenticated attackers to potentially leak heap memory contents.
Vulnerability
This vulnerability is a heap out-of-bounds read (CWE-125) occurring during the processing of certificate extension OIDs longer than 129 bytes. The flaw is remotely triggerable by an unauthenticated attacker, as the software fails to properly handle the return value when parsing malicious or malformed OIDs.
Business impact
Successful exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive data residing in the heap memory of the application. Given the CVSS score of 9.1, this is classified as a critical risk, as it may expose cryptographic keys, session tokens, or other sensitive information processed by the Perl module. The lack of authentication requirements increases the attack surface significantly, potentially allowing for automated exploitation.
Remediation
Immediate Action: Update the Crypt::OpenSSL::X509 module to version 2.1.3 or later immediately to resolve the memory handling flaw.
Proactive Monitoring: Monitor application logs for unexpected crashes or errors during certificate parsing, which may indicate attempts to trigger the heap read vulnerability.
Compensating Controls: If immediate patching is not possible, implement strict input validation on certificates processed by the application to reject OIDs that exceed standard length constraints.
Exploitation status
Public Exploit Available: No (There is no confirmed public exploit available in the provided data).
Analyst recommendation
Due to the critical severity and the potential for memory leakage of sensitive cryptographic material, organizations should prioritize updating the JONASBN Crypt::OpenSSL::X509 module across all production environments. Ensuring the library is updated to version 2.1.3 is the only reliable method to eliminate the vulnerability and prevent potential information disclosure attacks.