CVE-2026-8721 Overview
CVE-2026-8721 is a password truncation vulnerability in the Crypt::OpenSSL::PKCS12 Perl module through version 1.94. The module silently truncates passwords containing embedded NULL bytes when processing PKCS#12 files. Password parameters in PKCS12.xs are declared as char *, which Perl's default typemap routes through SvPV_nolen, discarding the actual Perl string length. Downstream C code or OpenSSL then calls strlen() on the buffer, dropping every byte at or after the first NULL. Binary passwords, KDF-derived secrets, and HMAC-derived passwords lose entropy without any warning, weakening certificate protection [CWE-170].
Critical Impact
Passwords with embedded NULL bytes are silently truncated, drastically reducing entropy and exposing PKCS#12-protected keys to brute-force attacks.
Affected Products
- Crypt::OpenSSL::PKCS12 for Perl, versions through 1.94
- Perl applications that pass binary or derived passwords to PKCS#12 operations
- Downstream tooling that wraps Crypt::OpenSSL::PKCS12 for certificate handling
Discovery Timeline
- 2026-05-17 - CVE-2026-8721 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8721
Vulnerability Analysis
The Crypt::OpenSSL::PKCS12 module exposes XS bindings that accept passwords from Perl and forward them to OpenSSL's PKCS#12 routines. Perl strings are length-prefixed and can legitimately contain NULL bytes, particularly when callers derive passwords from key derivation functions (KDFs), HMACs, or other binary sources. The vulnerability arises because the XS layer treats the Perl scalar as a C string instead of a length-bounded buffer.
When a caller supplies a 32-byte HMAC-derived password whose third byte is 0x00, the module effectively uses only the first two bytes. The PKCS#12 file is encrypted and integrity-protected with this truncated secret, but decryption succeeds against the same truncated value, so the defect remains invisible during functional testing.
Root Cause
The password arguments in PKCS12.xs are declared as char *. Perl's default typemap converts these scalars using SvPV_nolen, which returns a pointer to the string buffer but discards the explicit Perl-side length. Subsequent calls inside the C glue or within OpenSSL invoke strlen() to measure the password, terminating at the first NULL byte. Per [CWE-170: Improper Null Termination], the mismatch between Perl's counted-string semantics and C's NULL-terminated semantics silently corrupts the input.
Attack Vector
An attacker who obtains a PKCS#12 file produced with a binary password can mount an offline brute-force or dictionary attack against the truncated key space. A 256-bit KDF output containing an early NULL byte may collapse to only a handful of effective bytes of entropy. Because no warning is emitted, defenders cannot detect that their certificates are protected by an effectively short password until the keys are compromised.
The vulnerability is exploited through possession of the resulting PKCS#12 artifact rather than direct interaction with the module, so any system that distributes, backs up, or stores PKCS#12 bundles generated with binary passwords is exposed.
Detection Methods for CVE-2026-8721
Indicators of Compromise
- Presence of Crypt-OpenSSL-PKCS12 versions at or below 1.94 in Perl module inventories or cpanfile.snapshot files.
- PKCS#12 files generated by Perl tooling that accept binary, KDF-derived, or HMAC-derived passwords.
- Code paths that pass pack() output, Digest::SHA::hmac_sha256 results, or random byte strings as the password argument.
Detection Strategies
- Audit Perl source for calls to Crypt::OpenSSL::PKCS12 methods new_from_string, create, and mac_ok that supply non-ASCII passwords.
- Run static analysis to flag password arguments produced by binary-producing functions such as pack, random_bytes, hkdf, or HMAC routines.
- Validate generated .p12 files by attempting decryption with the password truncated at the first NULL byte; success indicates the module silently dropped entropy.
Monitoring Recommendations
- Track package manager events that install or upgrade Crypt-OpenSSL-PKCS12 across build hosts and production systems.
- Log PKCS#12 generation operations along with the password source and a hash of the full intended password for after-the-fact correlation.
- Alert on certificate stores or HSM imports where the originating PKCS#12 file was produced by a vulnerable module version.
How to Mitigate CVE-2026-8721
Immediate Actions Required
- Upgrade Crypt::OpenSSL::PKCS12 to version 1.95 or later on all systems that use the module.
- Re-issue or re-export any PKCS#12 bundles created with binary passwords using a patched module version.
- Rotate private keys whose PKCS#12 containers were generated with KDF-derived or HMAC-derived passwords that may contain NULL bytes.
Patch Information
The maintainer released Crypt-OpenSSL-PKCS12 1.95 to address the truncation defect. Refer to the MetaCPAN Release Changes and the OpenWall OSS Security Announcement for vendor-confirmed details.
Workarounds
- Restrict PKCS#12 passwords to printable ASCII strings without embedded NULL bytes until the module is upgraded.
- Hex-encode or base64-encode binary password material before passing it to the module so the value contains no NULL bytes.
- Wrap calls to the module in a pre-flight check that rejects any password containing \\x00 and raises an error to the caller.
# Upgrade the module via cpanm and verify the installed version
cpanm Crypt::OpenSSL::PKCS12@1.95
perl -MCrypt::OpenSSL::PKCS12 -E 'say $Crypt::OpenSSL::PKCS12::VERSION'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
