CRITICAL🇵🇱 Wersja polska

CVE-2026-8721

CVSS 9.8pub. 2026-05-17upd. 2026-05-18

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

🤖 AI Analysis
How it works

Password parameters in the PKCS12.xs file are declared as char * type, which causes them to be handled by Perl's default type map (SvPV_nolen), which ignores string length information. Subsequently, C code or internal OpenSSL mechanisms call the strlen() function on the buffer, which stops at the first NULL byte. As a result, any password data located after the first NULL byte is silently discarded. This applies in particular to binary passwords and passwords derived from KDF or HMAC functions, which may naturally contain zero-valued bytes.

Impact

An attacker can much more easily crack the password of a protected PKCS12 file, because the effective entropy of the password is unexpectedly and silently reduced. In scenarios where passwords are generated in binary form or derived cryptographically, the actual strength of cryptographic protection may be drastically lower than assumed by the administrator or application.

Mitigation & patch

The Crypt::OpenSSL::PKCS12 library should be updated to version 1.95 or newer, in which the issue has been fixed. Details of the change are available in the changelog published on metacpan.org.

Who is affected

Crypt::OpenSSL::PKCS12 for Perl in all versions up to and including 1.94.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References