An embedded NUL byte is a zero value (\u0000) that appears inside a string rather than at the end. In C and many C-like APIs, strings are treated as NUL-terminated, so processing stops as soon as a NUL is seen. That means the visible text may be longer than what the lower-level code actually uses.
This matters in security because mismatched string handling can cause authentication bypasses, truncation bugs, or secret-handling errors. For example, a password that contains an embedded NUL may be accepted by a higher-level language as one full value, but a C function may compare only the prefix before the zero byte. Attackers can abuse this difference to weaken checks or confuse parsers, while defenders look for it when code crosses language boundaries, especially between Perl, C, or other native extensions. Safe code must pass explicit lengths instead of relying on terminators.