{"id":"CVE-2026-8721","summary":"Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs","details":"Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.\n\nPassword parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen.  The Perl length is discarded.\n\nThe C code (or OpenSSL internally) calls strlen() on the buffer.  Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.","modified":"2026-07-08T08:10:43.316716325Z","published":"2026-05-17T18:51:41.420Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8721.json","cna_assigner":"CPANSec","cwe_ids":["CWE-170"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/17/6"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8721.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8721"},{"type":"PACKAGE","url":"https://github.com/dsully/perl-crypt-openssl-pkcs12"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dsully/perl-crypt-openssl-pkcs12","events":[{"introduced":"0"},{"last_affected":"621d94a6d389f043ecb00bcea5e75e7a1783d34e"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.94"}],"source":"AFFECTED_FIELD"}}],"versions":["1.94","1.93","1.92","1.91","1.11","1.10","1.9","1.8","1.7","1.6","1.5","1.4","1.3","1.2","1.1","1.0","0.10","0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8721.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}