Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-42484

A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.

View on NVD

Analysis

Hashcat is a standard tool used by security professionals and developers for password auditing and recovery. A heap buffer overflow in a hash parser (PKZIP) that leads to RCE is a high-impact vulnerability for a tool that frequently processes untrusted input strings.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-787

EPSS

Probability of exploitation (next 30 days): 0.0008 (0.1%)
Percentile: 22.3%
EPSS: 2026-05-06

Affects

hashcat:hashcat

Technical description

A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.

Published: 5/1/2026, 2:16:22 PM
Last modified: 5/1/2026, 7:16:33 PM

References

HomeEventsBlogResourcesTeam