CVE-2026-8721— Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs
Possible ATT&CK Techniques 1AI
T1552.005 · Cloud Instance Metadata APIAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| JONASBN | Crypt::OpenSSL::PKCS12 | ≤ 1.94 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8721
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs
Source: NVD (National Vulnerability Database)
Vulnerability Description
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不恰当的空终结符
Source: NVD (National Vulnerability Database)
Vulnerability Title
Crypt::OpenSSL::PKCS12 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Crypt::OpenSSL::PKCS12是Dan Sully个人开发者的一个用于 Perl 语言的开源密码学扩展模块,主要提供了对 OpenSSL PKCS12 API 的接口调用能力。 Crypt::OpenSSL::PKCS12 1.94及之前版本存在安全漏洞,该漏洞源于密码参数声明为char*,通过Perl默认typemap路由到SvPV_nolen,丢弃Perl长度,C代码或OpenSSL内部对缓冲区调用strlen,导致第一个NULL之后的所有密码字节被静默丢弃,二进制或KDF派生或HMAC
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| JONASBN | Crypt::OpenSSL::PKCS12 | 0 ~ 1.94 | - |
II. Public POCs for CVE-2026-8721
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8721
请登录查看更多情报信息。
Other · 1
IV. Related Vulnerabilities
Same weakness: CWE-170
- CVE-2026-34032
Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due - CVE-2026-40334
libgphoto2 missing null termination in ptp_unpack_Canon_FE() - CVE-2026-33948
jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Pr - CVE-2026-2239
Gimp: gimp: application crash (dos) via crafted psd file due - CVE-2026-32837
mackron / miniaudio Out-of-Bounds Read in BEXT Coding Histor
V. Comments for CVE-2026-8721
No comments yet