Description
Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing malicious NTLM Type-2 challenges. A malicious server can send a crafted NTLM Type-2 challenge with an excessively long domain string, causing base64-encoded response data to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling remote code execution on systems without stack protection.
Published: 2026-06-25
Score: 8.6 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hydra, a popular password‑cracking tool, contains a stack buffer overflow in its NTLM authentication handler. The flaw is triggered when a server sends a malicious NTLM Type‑2 challenge with an overly large domain string. The 500‑byte stack buffer is overrun by 18 to 330 bytes, and on systems lacking stack protection an attacker can inject arbitrary code into the process, leading to a classic stack‑based buffer overflow (CWE‑120, CWE‑121).

Affected Systems

The vulnerability affects THC Hydra versions 9.7 and earlier. The stack spill occurs in the modules handling SMTP, POP3, IMAP, NNTP, HTTP, HTTP‑Proxy, and HTTP‑Proxy‑Urlenum when processing NTLM challenges. All deployments of Hydra that are configured to attempt NTLM authentication against external servers are potentially exposed.

Risk and Exploitability

The CVSS score of 8.6 classifies the flaw as high severity, and the EPSS score is 0.00474 (<1%), though the vulnerability is not listed in the CISA KEV catalog. Because the trigger is a crafted NTLM challenge sent over any of the supported protocols, a remote attacker who can reach a Hydra instance can exploit the loss of stack bounds checks. The exploit requires no privileged access to the target system; it merely needs a network connection and the ability to send a malicious challenge, making it a straightforward remote code execution path.

Generated by OpenCVE AI on June 29, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade THC Hydra to a patched revision that incorporates commit 9cc84c20e75f5fef6bb1790bb9ada2afad2204e2 (version 9.8 or later).
  • If an upgrade is not immediately possible, disable the NTLM authentication modules in Hydra or avoid connecting it to untrusted servers that may send crafted challenges.
  • Enable stack protection on the system and, if recompiling Hydra is feasible, compile with stack‑protection and address space randomization to mitigate possible future overflows.

Generated by OpenCVE AI on June 29, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

threat_severity

Important


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Vanhauser-thc
Vanhauser-thc thc-hydra
Vendors & Products Vanhauser-thc
Vanhauser-thc thc-hydra

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing malicious NTLM Type-2 challenges. A malicious server can send a crafted NTLM Type-2 challenge with an excessively long domain string, causing base64-encoded response data to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling remote code execution on systems without stack protection.
Title Hydra - Stack Buffer Overflow in NTLM Authentication Handler
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Vanhauser-thc Thc-hydra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:18.775Z

Reserved: 2026-06-22T21:55:17.942Z

Link: CVE-2026-56766

cve-icon Vulnrichment

Updated: 2026-06-25T18:34:29.403Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T18:01:07Z

Links: CVE-2026-56766 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:15:05Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-121

    Stack-based Buffer Overflow