CVE-2026-8721: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs

CVE-2026-8721: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs Timothy Legge 17 May 2026 18:50 UTC

========================================================================
CVE-2026-8721                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8721
   Distribution:  Crypt-OpenSSL-PKCS12
       Versions:  through 1.94

       MetaCPAN:  https://metacpan.org/dist/Crypt-OpenSSL-PKCS12
       VCS Repo:  https://github.com/dsully/perl-crypt-openssl-pkcs12

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates
passwords with embedded NULLs

Description
-----------
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates
passwords with embedded NULLs.

Password parameters in PKCS12.xs are declared char *, which routes
through Perl's default typemap to SvPV_nolen.  The Perl length is
discarded.

The C code (or OpenSSL internally) calls strlen() on the buffer.  Any
password byte at or after the first NULL is silently dropped. Binary /
KDF-derived / HMAC-derived passwords lose entropy without any warnings.

Problem types
-------------
- CWE-170 Improper Null Termination

Solutions
---------
Upgrade to 1.95 or later.

References
----------
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md

Timeline
--------
- 2026-05-13: CPANSec identified issue
- 2026-05-13: Author was notified
- 2026-05-17: Maintainer released patch version