Password Truncation Issue in Crypt::OpenSSL::PKCS12 Product by Perl
CVE-2026-8721

9.8CRITICAL

Key Information:

Vendor: Jonasbn
Status: Crypt::OpenSSL::pkcs12
Vendor: CVE Published:; 17 May 2026

What is CVE-2026-8721?

The Crypt::OpenSSL::PKCS12 module for Perl has a significant vulnerability that affects how password parameters are handled. Specifically, when passwords contain embedded NULL characters, the module truncates these passwords without warning, leading to potential information loss and reduced security. The root of the issue lies in the type declaration of password parameters, which is set to char *. This allows passwords to be processed incorrectly, as the length is disregarded, causing any bytes following the first NULL to be silently discarded. This issue presents a serious risk for users relying on binary, key derivation function (KDF), or HMAC-derived passwords, as the truncation compromises their entropy and overall effectiveness.

Affected Version(s)

Crypt::OpenSSL::PKCS12 0 <= 1.94

References

https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12...

release-notes

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2026
Vulnerability Reserved
May 16, 2026

CVE-2026-8721 Data

JSON

Jonasbn

What is CVE-2026-8721?

Affected Version(s)

References

CVSS V3.1

Timeline