CVE Catalog

CVE-2026-8721

Critical
Published: Translated: NVD NIST

Summary

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which leads to the loss of password length in Perl.

Risk Assessment

Organizations may be at risk of losing password entropy, potentially weakening data security. Users may be unaware that their passwords are incomplete.

Recommendation

It is recommended to upgrade to the latest version of Crypt::OpenSSL::PKCS12 to avoid issues with password truncation. A password audit should also be conducted to ensure their integrity.

Original NVD description (English source)

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS