CVE-2026-42482
Received Received - Intake
Stack-based Buffer Overflow in Hashcat

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: MITRE

Description
A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42482
EUVD
EUVD-2026-26529
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hashcat hashcat 7.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-42482 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-42482 is a stack-based buffer overflow vulnerability found in hashcat version 7.1.2, specifically in the functions mangle_to_hex_lower() and mangle_to_hex_upper() within the rule engine. This vulnerability occurs when processing password candidates of 128 or more characters using the -j or -k rule options. The root cause is a bounds check failure that does not account for the fact that password bytes are expanded to hexadecimal representation, which doubles their size, leading to an overflow.

This overflow can cause the application to crash (denial of service) or potentially allow an attacker to execute arbitrary code, although exploitation is limited by hex-only writes and stack canaries.

Impact Analysis

The vulnerability can impact users by causing hashcat to crash unexpectedly, resulting in denial of service during password cracking operations.

In more severe cases, an attacker could exploit this buffer overflow to execute arbitrary code on the system running hashcat, potentially leading to unauthorized access or control.

Detection Guidance

This vulnerability can be detected by monitoring the use of hashcat version 7.1.2, especially when the -j h or -j H flags are used with password candidates of 128 or more characters, as these trigger the stack buffer overflow in the rule engine.

Detection can involve checking for crashes or denial-of-service symptoms when processing crafted rule files or long password candidates.

Specific commands to detect or reproduce the issue include running hashcat with the -j h or -j H options on password candidates of 128+ characters and observing for crashes.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of hashcat version 7.1.2 with the -j h or -j H rule options on password candidates of 128 or more characters.

If possible, upgrade to a version of hashcat where the proposed fix (PR #4618) has been merged and released.

Additionally, avoid processing crafted or untrusted rule files and hash files that could exploit the buffer overflow vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42482. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart