CVE-2026-8721

Received Received - Intake

BaseFortify

Publication date: 2026-05-17

Last updated on: 2026-05-18

Assigner: CPANSec

Description

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-17

Last Modified

2026-05-18

Generated

2026-05-20

EPSS Evaluated

2026-05-19

NVD

CVE-2026-8721

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-170	The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

Attack-Flow Graph

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-8721

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

Ask Our AI Assistant

EPSS Chart