Fluid Attacks Database

Description

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws. When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a heap out-of-bounds write would be triggered with remote-code-execution potential (RCE) due to a signed integer overflow in the size calculation passed to Renew().

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	libcrypt-openssl-pkcs12-perl	=1.94-1 \|\| =1.95-1	-
debian 14	libcrypt-openssl-pkcs12-perl	=1.94-1 \|\| >=0 <1.95-1	1.95-1

Aliases

1. CVE-2026-85072. NVD-2026-85073. OSV-DEBIAN-2026-85074. OSV-2026-85075. SECURITY-TRACKER-CVE-2026-8507

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.