Cyber Resilience

CVE-2026-8721

Critical

Published: 17 May 2026

Published
17 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 35.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-8721 is a critical-severity Improper Null Termination (CWE-170) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Reduce Key Space (T1600.001); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen()…

more

on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1600.001 Reduce Key Space Defense Impairment
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.
Why these techniques?

Password truncation via NULL handling directly reduces effective key space/entropy for PKCS12 password-based encryption.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42010Shared CWE-170
CVE-2026-27692Shared CWE-170
CVE-2026-21488Shared CWE-170
CVE-2026-24852Shared CWE-170

Affected Assets

PKCS12
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References