| Name | CVE-2026-8721 |
| Description | Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libcrypt-openssl-pkcs12-perl (PTS) | bullseye | 1.3-1 | vulnerable |
| trixie | 1.94-1 | vulnerable | |
| forky, sid | 1.95-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libcrypt-openssl-pkcs12-perl | source | (unstable) | 1.95-1 |
[trixie] - libcrypt-openssl-pkcs12-perl <no-dsa> (Minor issue)
[bullseye] - libcrypt-openssl-pkcs12-perl <postponed> (Minor issue, only affects passwords including a NUL byte)
https://lists.security.metacpan.org/cve-announce/msg/40149249/
https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/7b90e88a97f0ebe440032b8116249d1004d7ca6f
https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/468712ae04188342b263f057ad65f21a3545013b
https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/68904cd32691e223ad9eeff914812b8641eea14b
https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/d69393f3207586e3c6f2fe1a21b0b8972b93f8db