CVE-2026-42484 - Vulnerability Details

- Heap-Based Buffer Overflow in PKZIP Hash Parser of hashcat

Description

A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.

Published: 2026-05-01

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a heap‑based buffer overflow in the hex_to_binary routine used by the PKZIP hash parser in hashcat. When a user supplies a PKZIP hash string containing more hex characters than a fixed‑size buffer can accommodate, the overflow can trigger a crash or, if the attacker can influence control flow, arbitrary code execution. The risk is limited to the process that parses the hash file, but it can lead to full compromise of the system if the attacker achieves code execution.

Affected Systems

The flaw exists in hashcat version 7.1.2 and affects the PKZIP modules 17200, 17210, 17220, 17225, and 17230. These modules are enabled by default when the corresponding hash type is requested via the CLI. Users running hashcat 7.1.2 or older on any platform where these modules are active are susceptible.

Risk and Exploitability

With no EPSS data and no listing in CISA KEV, the likelihood of exploitation is undetermined, but the CVSS score of 9.8 indicates a severe vulnerability due to the buffer overflow. Attackers can host a malicious PKZIP hash file and trigger the overflow by invoking hashcat from the command line or via scripts. Because the flaw arises from unvalidated input, an attacker who can supply the hash string can potentially cause a denial of service or exploit the overflow for code execution in the host environment. The vulnerability is exploitable in any scenario where untrusted hash files are processed without prior validation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:hashcat:hashcat:7.1.2:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Hashcat

95%

Version	Status	Scheme	Platform
`7.1.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest hashcat release, verifying that the release notes indicate a fix for the hex_to_binary buffer overflow.
Disable the PKZIP hash modes (17200–17230) if PKZIP hashes are not required.
Validate or censor user‑supplied PKZIP hash strings to ensure the hex length does not exceed the buffer capacity before passing them to hashcat.

Generated by OpenCVE AI on May 2, 2026 at 10:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f

History

Sat, 02 May 2026 11:15:00 +0000

Type	Values Removed	Values Added
Title		Heap-Based Buffer Overflow in PKZIP Hash Parser of hashcat

Fri, 01 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 01 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hashcat Hashcat hashcat
Weaknesses		CWE-787
CPEs		cpe:2.3:a:hashcat:hashcat:7.1.2:::::::*
Vendors & Products		Hashcat Hashcat hashcat
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.
References		https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f

Subscriptions

Hashcat Hashcat

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-01T00:00:00.000Z

Updated: 2026-05-01T18:35:16.342Z

Reserved: 2026-04-27T00:00:00.000Z

Link: CVE-2026-42484

Vulnrichment

Updated: 2026-05-01T18:35:11.906Z

NVD

Status : Modified

Published: 2026-05-01T14:16:22.800

Modified: 2026-05-01T19:16:33.000

Link: CVE-2026-42484

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T19:45:13Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object