Skip to main content

hashcat CVE-2026-42482

| EUVDEUVD-2026-26529 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-01 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 17:52 vuln.today
CVSS changed
May 01, 2026 - 17:52 NVD
9.8 (CRITICAL)
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26529
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
CRITICAL 9.8

DescriptionCVE.org

A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.

AnalysisAI

Stack-based buffer overflow in hashcat 7.1.2's rule processing functions enables remote code execution when processing password candidates of 128+ characters. The vulnerability stems from inadequate bounds checking in mangle_to_hex_lower() and mangle_to_hex_upper() functions that fail to account for 2x memory expansion during byte-to-hex conversion. CVSS 9.8 (critical) with network attack vector and no authentication required. Public proof-of-concept code available via GitHub gist. No CISA KEV listing suggests targeted rather than widespread exploitation despite theoretical network exploitability.

Technical ContextAI

The vulnerability resides in hashcat's rule engine implementation (src/rp_cpu.c), specifically in functions that convert password bytes to hexadecimal representation. Hashcat uses rule-based password mangling to generate candidate passwords during hash cracking operations. The affected functions allocate fixed-size stack buffers but fail to validate that the 2x expansion from byte-to-hex conversion fits within allocated space. When processing passwords ≥128 characters with hex conversion rules (invoked via -j/-k command-line options or embedded in rule files), the conversion writes beyond buffer boundaries. This is a classic CWE-787 (Out-of-bounds Write) condition affecting the stack memory region. CPE identifies hashcat:hashcat:7.1.2 as affected. The stack-based nature makes exploitation more complex than heap overflows but potentially enables return address overwriting for control-flow hijacking.

RemediationAI

Primary mitigation: Upgrade to hashcat version newer than 7.1.2 once patched release becomes available. Monitor hashcat GitHub repository (https://github.com/hashcat/hashcat) for security advisories and commits addressing CVE-2026-42482. Immediate compensating controls for version 7.1.2: (1) Restrict password candidate length to <128 characters when using -j/-k hex conversion rules-enforced via pre-processing scripts or input validation (trade-off: limits testing of long passphrases). (2) Audit and sanitize all rule files before use-reject rules invoking hex mangling on untrusted input (trade-off: manual review overhead, potential missed attack patterns). (3) Run hashcat in sandboxed/containerized environments with limited privileges to contain potential RCE impact (trade-off: performance overhead from isolation). (4) For multi-user or cloud deployments, implement strict input validation rejecting rule files and candidates from untrusted sources (trade-off: reduces flexibility for collaborative cracking). POC analysis at https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f provides technical validation for testing mitigations.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-42482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy