CVE-2026-8721 - Vulnerability Details

- Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs

Description

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.

Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded.

The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

Published: 2026-05-17

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Crypt::OpenSSL::PKCS12 versions 1.94 and earlier treat passwords as C strings, trimming any content at the first NULL byte. The library determines length with strlen, so bytes at or after the first NULL are silently discarded. This truncation reduces the entropy of passwords that contain embedded NULLs or binary data, a behavior classified as CWE‑170, weakening the confidentiality of the PKCS12 keystore. It is inferred that a weaker password may allow an attacker to recover private keys or certificates more readily if they can influence or guess the password.

Affected Systems

JONASBN Crypt::OpenSSL::PKCS12 for Perl, versions through 1.94. All installations using any of these releases are affected until an upgrade to 1.95 or later is applied.

Risk and Exploitability

Any password containing a NULL byte is truncated, a behavior described by CWE‑170, so an attacker could construct a password that causes the keystore to use a much weaker key. This behavior can be exploited locally, as the password is supplied to the library within a process. The CVSS score of 9.8 indicates a critical severity, while the EPSS score of < 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. It is inferred that the attack vector is local or in‑process, and that the reduced entropy could facilitate brute‑force attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

JONASBN

Crypt::OpenSSL::PKCS12

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.94

No data.

Vendor Product Confidence Versions

Jonasbn

Crypt::openssl::pkcs12

100%

Version	Status	Scheme	Platform
`[0,1.94]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to 1.95 or later.

OpenCVE Recommended Actions

Upgrade Crypt::OpenSSL::PKCS12 to version 1.95 or later
If an upgrade is not immediately possible, avoid using passwords with embedded NULL bytes or other binary data; use only plain‑text passwords without NULL characters
Review any PKCS12 keystores created with older versions and regenerate them with a secure password and the updated library

Generated by OpenCVE AI on May 18, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/17/6
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md

History

Mon, 18 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 18 May 2026 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jonasbn Jonasbn crypt::openssl::pkcs12
Vendors & Products		Jonasbn Jonasbn crypt::openssl::pkcs12

Sun, 17 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/17/6

Sun, 17 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Title		Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs
Weaknesses		CWE-170
References		https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md

Subscriptions

Jonasbn Crypt::openssl::pkcs12

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-17T18:51:41.420Z

Updated: 2026-05-18T12:56:41.486Z

Reserved: 2026-05-16T01:07:36.063Z

Link: CVE-2026-8721

Vulnrichment

Updated: 2026-05-17T21:18:34.820Z

NVD

Status : Deferred

Published: 2026-05-17T19:16:25.310

Modified: 2026-05-18T17:40:45.343

Link: CVE-2026-8721

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-18T15:15:28Z

Weaknesses

CWE-170
Improper Null Termination

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object