CVE-2026-58101

Source
https://cve.org/CVERecord?id=CVE-2026-58101
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58101.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58101
Downstream
Published
2026-07-13T22:17:48.375Z
Modified
2026-07-16T03:46:22.284903793Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference
Details

Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference.

X509V3EXTd2i(ext) returns NULL when an extension's DER value fails to parse. basicC, ia5string, and authatt dereference its result without a NULL check. keyiddata also dereferences akid->keyid, which is NULL for an empty AKI SEQUENCE (DER 30 00) even when the parse succeeds.

A caller invoking an affected helper on an extension from an untrusted certificate triggers a SIGSEGV that crashes the Perl process.

Database specific
{
    "cwe_ids": [
        "CWE-476"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58101.json",
    "cna_assigner": "CPANSec"
}
References

Affected packages

Git / github.com/dsully/perl-crypt-openssl-x509

Affected ranges

Type
GIT
Repo
https://github.com/dsully/perl-crypt-openssl-x509
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.3"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.8.10
1.8.11
1.8.12
1.8.13
1.8.9
1.9
1.9.1
1.9.10
1.9.11
1.9.12
1.9.13
1.9.13-TRIAL
1.9.14
1.9.14-TRIAL
1.9.15
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
2.*
2.0.0
2.0.1
2.1.0-TRIAL
2.1.1
2.1.1-TRIAL
2.1.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58101.json"