CVE-2026-8721

Name of the Vulnerable Software and Affected Versions Crypt::OpenSSL::PKCS12 versions prior to 1.95

Description The software truncates passwords containing embedded NULL characters. In the PKCS12.xs file, password parameters are declared as char *, which utilizes Perl's default typemap SvPV nolen, causing the Perl length to be discarded. Consequently, the C code or OpenSSL internally invokes the strlen() function on the buffer, resulting in any password bytes at or after the first NULL being silently dropped. This leads to a loss of entropy for binary, KDF-derived, or HMAC-derived passwords without any warnings.

Recommendations Update to version 1.95 or later.