CVE-2026-8721

Critical

Published: 17 May 2026

Published

17 May 2026

Modified

18 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8721 is a critical-severity Improper Null Termination (CWE-170) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen()…

on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-170

Affected Products

—

PKCS12

inferred from references and description; NVD did not file a CPE for this CVE

References

https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md
9b29abf9-4ab0-4765-b253-1875cd9b441e
http://www.openwall.com/lists/oss-security/2026/05/17/6
af854a3a-2127-422b-91ae-364da2661108