Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-8721: Perl Crypt::OpenSSL::PKCS12 truncates passwords with embedded NULLs
CVE-2026-8721
Summary
Perl's Crypt::OpenSSL::PKCS12 module, used for secure password handling, incorrectly truncates passwords that contain NULL characters. This can lead to reduced security for passwords that include special characters. Update to a version of Crypt::OpenSSL::PKCS12 that fixes this issue to ensure secure password handling.
Original title
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.
Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to ...
Original description
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.
Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded.
The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded.
The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Vulnerability type
CWE-170
Published: 17 May 2026 · Updated: 24 May 2026 · First seen: 17 May 2026