Skip to main content

hashcat CVE-2026-42484

| EUVDEUVD-2026-26531 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-01 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 17:52 vuln.today
CVSS changed
May 01, 2026 - 17:52 NVD
9.8 (CRITICAL)
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26531
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
CRITICAL 9.8

DescriptionCVE.org

A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.

AnalysisAI

Heap-based buffer overflow in hashcat 7.1.2 enables remote code execution or denial of service through maliciously crafted PKZIP hash files. Attackers can exploit inadequate input validation in the hex_to_binary function affecting PKZIP hash parser modules (17200, 17210, 17220, 17225, 17230) to overflow fixed-size buffers with arbitrary hex data. CVSS 9.8 reflects network-accessible attack vector requiring no authentication or user interaction, though real-world exploitation requires victim to process attacker-supplied hash files. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation. Public proof-of-concept exists (GitHub Gist), elevating exploitation risk for environments processing untrusted hash files.

Technical ContextAI

hashcat is a widely-deployed password recovery tool supporting 300+ hash algorithms. The vulnerability resides in the PKZIP hash parser's hex_to_binary conversion function, affecting five specific modules for PKZIP-based hash cracking (17200, 17210, 17220, 17225, 17230). CWE-787 (Out-of-bounds Write) occurs when the parser processes user-supplied hash strings with data_type_enum values ≤1. The function decodes attacker-controlled hexadecimal data from the hash string directly into a fixed-size heap buffer without validating that input length fits the destination buffer capacity. This classic heap overflow condition allows writing beyond allocated boundaries, corrupting adjacent heap metadata or data structures. CPE cpe:2.3:a:hashcat:hashcat:7.1.2 identifies the specific affected product version. Exploitation depends on hashcat being invoked to process hash files from untrusted sources, a scenario common in penetration testing workflows, security research environments, and password auditing operations where hash lists may originate externally.

RemediationAI

Primary mitigation requires upgrading to a patched hashcat version once available; however, no vendor-released patch version is identified in the provided intelligence at time of analysis. Monitor the official hashcat GitHub repository (hashcat/hashcat) and project security advisories for patch announcements. Until patching: (1) Disable or avoid using PKZIP hash modules 17200, 17210, 17220, 17225, and 17230 if operationally feasible, trading PKZIP hash-cracking capability for security; (2) Implement strict input validation by processing only hash files from verified trusted sources with established chain of custody; (3) Execute hashcat in sandboxed environments (containers, VMs, restricted user contexts) to limit code execution impact, accepting performance overhead of isolation; (4) Deploy file integrity monitoring on hash input directories to detect unexpected modifications; (5) For automated pipelines, implement hash file format validation and size restrictions before passing to hashcat, though this may be bypassed by sophisticated payloads. Trade-off analysis: Module disablement eliminates attack surface but renders PKZIP password recovery impossible; sandboxing contains compromise but adds operational complexity and resource consumption. Refer to https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f for technical details of the vulnerability.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-42484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy