CVE-2026-42482
Stack-based Buffer Overflow in Hashcat
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashcat | hashcat | 7.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42482 is a stack-based buffer overflow vulnerability found in hashcat version 7.1.2, specifically in the functions mangle_to_hex_lower() and mangle_to_hex_upper() within the rule engine. This vulnerability occurs when processing password candidates of 128 or more characters using the -j or -k rule options. The root cause is a bounds check failure that does not account for the fact that password bytes are expanded to hexadecimal representation, which doubles their size, leading to an overflow.
This overflow can cause the application to crash (denial of service) or potentially allow an attacker to execute arbitrary code, although exploitation is limited by hex-only writes and stack canaries.
How can this vulnerability impact me? :
The vulnerability can impact users by causing hashcat to crash unexpectedly, resulting in denial of service during password cracking operations.
In more severe cases, an attacker could exploit this buffer overflow to execute arbitrary code on the system running hashcat, potentially leading to unauthorized access or control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the use of hashcat version 7.1.2, especially when the -j h or -j H flags are used with password candidates of 128 or more characters, as these trigger the stack buffer overflow in the rule engine.
Detection can involve checking for crashes or denial-of-service symptoms when processing crafted rule files or long password candidates.
Specific commands to detect or reproduce the issue include running hashcat with the -j h or -j H options on password candidates of 128+ characters and observing for crashes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of hashcat version 7.1.2 with the -j h or -j H rule options on password candidates of 128 or more characters.
If possible, upgrade to a version of hashcat where the proposed fix (PR #4618) has been merged and released.
Additionally, avoid processing crafted or untrusted rule files and hash files that could exploit the buffer overflow vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-42482 on compliance with common standards and regulations such as GDPR or HIPAA.