Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.
AnalysisAI
Stack-based buffer overflow in hashcat 7.1.2's rule processing functions enables remote code execution when processing password candidates of 128+ characters. The vulnerability stems from inadequate bounds checking in mangle_to_hex_lower() and mangle_to_hex_upper() functions that fail to account for 2x memory expansion during byte-to-hex conversion. CVSS 9.8 (critical) with network attack vector and no authentication required. Public proof-of-concept code available via GitHub gist. No CISA KEV listing suggests targeted rather than widespread exploitation despite theoretical network exploitability.
Technical ContextAI
The vulnerability resides in hashcat's rule engine implementation (src/rp_cpu.c), specifically in functions that convert password bytes to hexadecimal representation. Hashcat uses rule-based password mangling to generate candidate passwords during hash cracking operations. The affected functions allocate fixed-size stack buffers but fail to validate that the 2x expansion from byte-to-hex conversion fits within allocated space. When processing passwords ≥128 characters with hex conversion rules (invoked via -j/-k command-line options or embedded in rule files), the conversion writes beyond buffer boundaries. This is a classic CWE-787 (Out-of-bounds Write) condition affecting the stack memory region. CPE identifies hashcat:hashcat:7.1.2 as affected. The stack-based nature makes exploitation more complex than heap overflows but potentially enables return address overwriting for control-flow hijacking.
RemediationAI
Primary mitigation: Upgrade to hashcat version newer than 7.1.2 once patched release becomes available. Monitor hashcat GitHub repository (https://github.com/hashcat/hashcat) for security advisories and commits addressing CVE-2026-42482. Immediate compensating controls for version 7.1.2: (1) Restrict password candidate length to <128 characters when using -j/-k hex conversion rules-enforced via pre-processing scripts or input validation (trade-off: limits testing of long passphrases). (2) Audit and sanitize all rule files before use-reject rules invoking hex mangling on untrusted input (trade-off: manual review overhead, potential missed attack patterns). (3) Run hashcat in sandboxed/containerized environments with limited privileges to contain potential RCE impact (trade-off: performance overhead from isolation). (4) For multi-user or cloud deployments, implement strict input validation rejecting rule files and candidates from untrusted sources (trade-off: reduces flexibility for collaborative cracking). POC analysis at https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f provides technical validation for testing mitigations.
Same weakness CWE-787 – Out-of-bounds Write
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26529