CVE-2026-8721 - Vulnerability Details - OpenCVE

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/17/6
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md

History

Sun, 17 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/17/6

Sun, 17 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Title		Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs
Weaknesses		CWE-170
References		https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-17T18:51:41.420Z

Updated: 2026-05-17T21:18:34.820Z

Reserved: 2026-05-16T01:07:36.063Z

Link: CVE-2026-8721

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-17T19:16:25.310

Modified: 2026-05-17T22:16:21.370

Link: CVE-2026-8721

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-17T21:00:06Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8721", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-05-16T01:07:36.063Z", "datePublished": "2026-05-17T18:51:41.420Z", "dateUpdated": "2026-05-17T21:18:34.820Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Crypt-OpenSSL-PKCS12", "product": "Crypt::OpenSSL::PKCS12", "programFiles": ["PKCS12.xs"], "programRoutines": [{"name": "Crypt::OpenSSL::PKCS12::mac_ok"}, {"name": "Crypt::OpenSSL::PKCS12::changepass"}, {"name": "Crypt::OpenSSL::PKCS12::create"}, {"name": "Crypt::OpenSSL::PKCS12::create_as_string"}, {"name": "Crypt::OpenSSL::PKCS12::certificate"}, {"name": "Crypt::OpenSSL::PKCS12::ca_certificate"}, {"name": "Crypt::OpenSSL::PKCS12::private_key"}, {"name": "Crypt::OpenSSL::PKCS12::info_as_hash"}, {"name": "Crypt::OpenSSL::PKCS12::info"}], "repo": "https://github.com/dsully/perl-crypt-openssl-pkcs12", "vendor": "JONASBN", "versions": [{"lessThanOrEqual": "1.94", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.\n\nPassword parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded.\n\nThe C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-170", "description": "CWE-170 Improper Null Termination", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-05-17T18:51:41.420Z"}, "references": [{"tags": ["release-notes"], "url": "https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md"}], "solutions": [{"lang": "en", "value": "Upgrade to 1.95 or later."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-05-13T00:00:00.000Z", "value": "CPANSec identified issue"}, {"lang": "en", "time": "2026-05-13T00:00:00.000Z", "value": "Author was notified"}, {"lang": "en", "time": "2026-05-17T00:00:00.000Z", "value": "Maintainer released patch version"}], "title": "Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/17/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-17T21:18:34.820Z"}}]}}