Description
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.

Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded.

The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Published: 2026-05-17
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crypt::OpenSSL::PKCS12 versions 1.94 and earlier treat passwords as C strings, trimming any content at the first NULL byte. The library determines length with strlen, so bytes at or after the first NULL are silently discarded. This truncation reduces the entropy of passwords that contain embedded NULLs or binary data, weakening the confidentiality of the PKCS12 keystore. It is inferred that a weaker password may allow an attacker to recover private keys or certificates more readily if they can influence or guess the password.

Affected Systems

JONASBN Crypt::OpenSSL::PKCS12 for Perl, versions through 1.94. All installations using any of these releases are affected until an upgrade to 1.95 or later is applied.

Risk and Exploitability

Any password containing a NULL byte is truncated, so an attacker could construct a password that causes the keystore to use a much weaker key. This behavior can be exploited locally, as the password is supplied to the library within a process. The vulnerability has no official CVSS score listed, and its EPSS score is not available. It is not listed in the CISA KEV catalog. It is inferred that the attack vector is local or in‑process, and that the reduced entropy could facilitate brute‑force attacks.

Generated by OpenCVE AI on May 17, 2026 at 20:50 UTC.

Remediation

Vendor Solution

Upgrade to 1.95 or later.

OpenCVE Recommended Actions

  • Upgrade Crypt::OpenSSL::PKCS12 to version 1.95 or later
  • If an upgrade is not immediately possible, avoid using passwords with embedded NULL bytes or other binary data; use only plain‑text passwords without NULL characters
  • Review any PKCS12 keystores created with older versions and regenerate them with a secure password and the updated library

Generated by OpenCVE AI on May 17, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Jonasbn
Jonasbn crypt::openssl::pkcs12
Vendors & Products Jonasbn
Jonasbn crypt::openssl::pkcs12

Sun, 17 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Sun, 17 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Title Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs
Weaknesses CWE-170
References

Subscriptions

Jonasbn Crypt::openssl::pkcs12
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-17T21:18:34.820Z

Reserved: 2026-05-16T01:07:36.063Z

Link: CVE-2026-8721

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T19:16:25.310

Modified: 2026-05-17T22:16:21.370

Link: CVE-2026-8721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:49:02Z

Weaknesses