CVE-2026-8721
9.8 CRITICALCrypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs
Published: 2026-05-17 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-170
Description
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-5067 — A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-... (9.8 CRITICAL)
- CVE-2026-42010 — A flaw was found in gnutls (7.1 HIGH)