Description
Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing malicious NTLM Type-2 challenges. A malicious server can send a crafted NTLM Type-2 challenge with an excessively long domain string, causing base64-encoded response data to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling remote code execution on systems without stack protection.
Published: 2026-06-25
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hydra, a popular password‑cracking tool, contains a stack buffer overflow in its NTLM authentication handler. The flaw is triggered when a server sends a malicious NTLM Type‑2 challenge with an overly large domain string. The 500‑byte stack buffer is overrun by 18 to 330 bytes, and on systems lacking stack protection an attacker can inject arbitrary code into the process, leading to remote code execution. The weakness is a classic stack‑based buffer overflow (CWE‑121).

Affected Systems

The vulnerability affects THC Hydra versions 9.7 and earlier. The stack spill occurs in the modules handling SMTP, POP3, IMAP, NNTP, HTTP, HTTP‑Proxy, and HTTP‑Proxy‑Urlenum when processing NTLM challenges. All deployments of Hydra that are configured to attempt NTLM authentication against external servers are potentially exposed.

Risk and Exploitability

The CVSS score of 8.6 classifies the flaw as high severity, and the EPSS value is not available, though the vulnerability is not listed in the CISA KEV catalog. Because the trigger is a crafted NTLM challenge sent over any of the supported protocols, a remote attacker who can reach a Hydra instance can exploit the loss of stack bounds checks. The exploit requires no privileged access to the target system; it merely needs a network connection and the ability to send a malicious challenge, making it a straightforward remote code execution path.

Generated by OpenCVE AI on June 25, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade THC Hydra to a patched revision that incorporates commit 9cc84c20e75f5fef6bb1790bb9ada2afad2204e2 (version 9.8 or later).
  • If an upgrade is not immediately possible, disable the NTLM authentication modules in Hydra or avoid connecting it to untrusted servers that may send crafted challenges.
  • Enable stack protection on the system and, if recompiling Hydra is feasible, compile with stack‑protection and address space randomization to mitigate possible future overflows.

Generated by OpenCVE AI on June 25, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing malicious NTLM Type-2 challenges. A malicious server can send a crafted NTLM Type-2 challenge with an excessively long domain string, causing base64-encoded response data to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling remote code execution on systems without stack protection.
Title Hydra - Stack Buffer Overflow in NTLM Authentication Handler
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T18:34:53.467Z

Reserved: 2026-06-22T21:55:17.942Z

Link: CVE-2026-56766

cve-icon Vulnrichment

Updated: 2026-06-25T18:34:29.403Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T19:30:15Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow