CVE-2026-8507 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-8507 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-8507 is a critical out-of-bounds write vulnerability in the Perl module Crypt::OpenSSL::PKCS12, affecting all versions through 1.94, triggered during the parsing of specially crafted PKCS12 files.

Technical Detail

The flaw exists in the info() method of Crypt::OpenSSL::PKCS12, which fails to properly handle OCTET STRING or BIT STRING attributes on a SAFEBAG structure when the attribute data is 1 GiB or larger, resulting in an out-of-bounds memory write. An attacker can trigger this condition by supplying a malformed PKCS12 file to any application that invokes the info() method on attacker-controlled input. Depending on memory layout and runtime conditions, successful exploitation could lead to memory corruption, process crash, or potentially arbitrary code execution.

Exploitation Status

No known exploit exists for this vulnerability at this time. It has not been added to the CISA Known Exploited Vulnerabilities catalog. The vulnerability is publicly described, but no proof-of-concept code or active exploitation has been confirmed as of May 24, 2026.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor activity has been associated with this CVE.

What To Do

Operators using Crypt::OpenSSL::PKCS12 in Perl applications should upgrade to a patched version beyond 1.94 as soon as one is available from the module maintainers via CPAN. In the interim, applications should avoid passing untrusted or externally supplied PKCS12 files to the info() method. Input validation to enforce reasonable size limits on PKCS12 file attributes, particularly rejecting OCTET STRING or BIT STRING values approaching or exceeding 1 GiB, serves as a practical interim control. Given the critical CVSS score of 9.8, patching should be treated as high priority even in the absence of confirmed active exploitation.