What is the CVSS score of CVE-2026-8721?

CVE-2026-8721 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Crypt::OpenSSL::PKCS12 are affected by CVE-2026-8721?

Crypt::OpenSSL::PKCS12 (Perl module) versions 1.94 and earlier silently weaken passwords protecting stored cryptographic keys, without any indication of failure.

Crypt::OpenSSL::PKCS12 CVE-2026-8721

EUVD-2026-30707 CRITICAL

Improper Null Termination (CWE-170)

2026-05-17 9b29abf9-4ab0-4765-b253-1875cd9b441e

GHSA-hh8h-hxcj-2pm7

Information Disclosure OpenSSL

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 18, 2026 - 13:23 vuln.today

CVSS changed

May 18, 2026 - 13:22 NVD

9.8 (CRITICAL)

CVE Published

May 17, 2026 - 19:16 nvd

UNKNOWN (no severity yet)

DescriptionNVD

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.

Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded.

The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

AnalysisAI

Silent password truncation in the Perl module Crypt::OpenSSL::PKCS12 versions up to and including 1.94 causes any password bytes at or after the first embedded NULL byte to be dropped without warning. The flaw stems from password parameters being declared as char* in PKCS12.xs, routing through Perl's default typemap to SvPV_nolen and discarding the Perl-known length before C strlen() truncates the buffer. …

RemediationAI

Within 24 hours: identify all use of Crypt::OpenSSL::PKCS12 version 1.94 or earlier in production systems. Within 7 days: determine if affected versions generated any PKCS12 keystores; begin evaluation and testing of alternative libraries. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8721 vulnerability details – vuln.today

Back

Crypt::OpenSSL::PKCS12 CVE-2026-8721

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code