Fluid Attacks Database

Description

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	libcrypt-openssl-pkcs12-perl	=1.94-1 \|\| =1.95-1	-
debian 14	libcrypt-openssl-pkcs12-perl	=1.94-1 \|\| >=0 <1.95-1	1.95-1
debian 11	libcrypt-openssl-pkcs12-perl	=1.3-1 \|\| =1.7-1 \|\| =1.8-1 \|\| =1.9-1 \|\| =1.9-2 \|\| =1.9-3 \|\| =1.91-1 \|\| =1.92-1 \|\| =1.93-1 \|\| =1.94-1 \|\| =1.95-1	-

Aliases

1. CVE-2026-87212. NVD-2026-87213. OSV-DEBIAN-2026-87214. OSV-2026-87215. SECURITY-TRACKER-CVE-2026-8721

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.