Crypt::Argon2, in versions 0.017 through 0.030, performs an out-of-bounds heap read when the verify function receives an empty encoded string. The function passes a size_t value of encoded_len-1 to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the subtraction wraps to the maximum unsigned value, causing memchr to scan adjacent heap memory for the delimiter byte. The attacker can therefore trigger a crash or obtain the location of a nearby '$' byte, potentially leaking information. This flaw corresponds to CWE-126 and CWE-191.

The vulnerability affects the Perl module Crypt::Argon2, distributed under the name LEONT:Crypt::Argon2. All releases from version 0.017 up to (but not including) 0.031 are affected. The module is commonly used to hash and verify passwords for Perl applications. Applying the official patch is necessary to obtain a fixed version.

The danger is limited to environments where the application can supply an empty hash string to the verify routine. An attacker who can influence stored hash values or the input string can cause the process to crash, resulting in a denial of service, or can read adjacent heap locations, which may reveal sensitive data only if the memory pattern is interpretable. No remote exploitation vector is described, and the vulnerability is not listed in KEV. EPSS is unavailable, making it hard to quantify exploitation likelihood; however, the absence of a known exploit and the local character of the fault suggest a moderate risk, primarily affecting systems that rely on the vulnerable module without guarding against empty inputs.