Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects module_hash_decode in multiple Kerberos-related modules because account_info_len is calculated from untrusted delimiter positions without upper-bound validation before memcpy copies the data into a fixed-size account_info buffer.
AnalysisAI
Heap-based buffer overflow in hashcat 7.1.2's Kerberos hash parser enables remote code execution without authentication. Attacker supplies a maliciously crafted Kerberos hash file with manipulated delimiter positions to overflow the fixed-size account_info buffer during memcpy operations in module_hash_decode. The vulnerability affects multiple Kerberos-related hashcat modules due to missing upper-bound validation on account_info_len before memory copy. CVSS 9.8 with network attack vector, but real-world exploitation requires user processing the malicious file. EPSS data not available; no active exploitation confirmed in CISA KEV at time of analysis.
Technical ContextAI
hashcat is an advanced password recovery and hash cracking utility supporting over 300 hash types. The vulnerability resides in module_hash_decode functions across Kerberos-related cracking modules (likely including Kerberos 5 TGS-REP, AS-REP, and Pre-Auth variants). When parsing Kerberos hash input files, the code calculates account_info_len by locating delimiter positions in untrusted input without validating the resulting length against the destination buffer size. This classic CWE-787 (Out-of-bounds Write) allows a heap overflow when memcpy copies attacker-controlled data exceeding the fixed account_info buffer capacity. Affected product identified by CPE cpe:2.3:a:hashcat:hashcat:7.1.2, specifically version 7.1.2. The heap-based nature makes exploitation more complex than stack overflows but enables potential code execution by overwriting adjacent heap metadata or function pointers.
RemediationAI
Upgrade to hashcat version 7.2.0 or later if available - patch version not independently confirmed from provided data; users must verify current stable release at https://github.com/hashcat/hashcat/releases. Review the POC analysis at https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f to understand exploit mechanics. Until patched version is deployed, implement these compensating controls: (1) Process only hash files from trusted sources with verified integrity; (2) Run hashcat in sandboxed environments (containers, VMs with snapshot rollback) when analyzing unknown hash files - limits blast radius but adds operational overhead; (3) Implement input validation wrapper scripts that verify hash file structure and delimiter counts before passing to hashcat - requires custom development and may not catch all malformed inputs; (4) Disable or avoid Kerberos hash cracking modules if not operationally required - reduces attack surface but eliminates key functionality. Organizations using hashcat in automated pipelines should implement strict input sanitization and consider halting processing of externally sourced Kerberos hashes until patch confirmation.
Same weakness CWE-787 – Out-of-bounds Write
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26530