Home

Description

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-17 | Updated 2026-05-18 | Assigner CPANSec

Problem types

CWE-170 Improper Null Termination

Product status

Default status
unaffected

Any version
affected

Timeline

2026-05-13:CPANSec identified issue
2026-05-13:Author was notified
2026-05-17:Maintainer released patch version

References

www.openwall.com/lists/oss-security/2026/05/17/6

metacpan.org/...BN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md release-notes

cve.org (CVE-2026-8721)

nvd.nist.gov (CVE-2026-8721)

Download JSON