pymonocypher CVE-2026-53720
MEDIUMSeverity by source
Local vector since exploitation occurs via library API call; high complexity because undersized nb_blocks must be supplied; scope changed due to heap corruption potentially affecting surrounding process memory beyond the function.
Lifecycle Timeline
1DescriptionCVE.org
Impact
The argon2i_32 implementation does not check the nb_blocks size. If the caller does not provide a sufficiently large buffer based on the API contract, then argon2i_32 will write past the end of the buffer and possibly corrupt the heap.
Patches
Fixed in 4.0.2.8, which now verifies that nb_blocks is large enough. See 90ff5b1.
Workarounds
Provide a correctly sized nb_blocks buffer.
pymonocypher thanks Haris (hextheshadow) for the vulnerability report, details, and recommended fix.
AnalysisAI
Heap buffer overflow in pymonocypher's argon2i_32 function allows memory corruption when callers supply an undersized nb_blocks buffer, violating the library's API contract without triggering any bounds check. Applications using pymonocypher prior to version 4.0.2.8 that invoke the Argon2i password-hashing interface are at risk of heap corruption, which can produce crashes or potentially enable controlled memory writes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that argon2i_32 be called with an nb_blocks buffer smaller than the minimum required by the Argon2i algorithm's memory requirements. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector has been published by NVD or the vendor for this vulnerability, and no EPSS score or CISA KEV listing is available, eliminating the primary quantitative risk signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application using pymonocypher calculates or accepts externally influenced input for the nb_blocks argument and passes an undersized buffer to argon2i_32; the missing size check allows the function to write beyond the heap allocation, corrupting adjacent heap metadata. No public exploit code has been identified at time of analysis, but a crafted nb_blocks value that causes a minimal size underestimate could trigger reliable heap corruption in a tight feedback loop, potentially enabling process crashes or - depending on heap layout - controlled writes. |
| Remediation | Upgrade pymonocypher to version 4.0.2.8 or later; this release adds nb_blocks size validation in argon2i_32 and is the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8f95-v3jq-cj86