Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-8721 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-8721 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-8721 is a password truncation vulnerability in the Perl module Crypt::OpenSSL::PKCS12 (versions through 1.94) that causes passwords containing embedded NULL bytes to be silently shortened during PKCS12 cryptographic operations.

Technical Detail

The flaw originates in PKCS12.xs, where password parameters are declared as char * and processed through Perl's default SvPV typemap, which terminates string handling at the first NULL byte. An attacker or application supplying a password with an embedded NULL will have that password truncated to only the portion preceding the NULL, meaning the effective password used for encryption or authentication is shorter and weaker than intended. In contexts where an attacker can influence or predict the truncated value, this could lead to authentication bypass or decryption of protected PKCS12 material that should be inaccessible.

Exploitation Status

No known exploit exists for this vulnerability at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as none, meaning no public proof-of-concept or weaponized code has been identified. Despite the critical CVSS score of 9.8, exploitation has not been observed in the wild as of this writing.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor activity has been associated with this vulnerability.

What To Do

Operators using Crypt::OpenSSL::PKCS12 in any Perl application should upgrade to a patched version beyond 1.94 as soon as one is available from the module maintainers on CPAN. In the interim, applications should be audited to determine whether they accept or process passwords that may contain NULL bytes, and input validation should be enforced to reject or sanitize such values before they reach PKCS12 operations. Any PKCS12 files protected with passwords that may have been subject to truncation should be considered potentially weakened and re-encrypted with verified, NULL-free credentials. Given the critical CVSS rating, patching should be treated as high priority even in the absence of confirmed exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →