CVE-2026-42483
Heap-based Buffer Overflow in hashcat
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashcat | hashcat | 7.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-based buffer overflow in the Kerberos hash parser of hashcat version 7.1.2. It occurs because the length of account information is calculated from untrusted delimiter positions without proper upper-bound validation. This leads to copying more data than the fixed-size buffer can hold, which can cause memory corruption.
An attacker can exploit this by providing a specially crafted Kerberos hash file that triggers the overflow in the module_hash_decode function within multiple Kerberos-related modules.
How can this vulnerability impact me? :
Exploiting this vulnerability can allow an attacker to cause a denial of service (crash) of the affected application. In some cases, it may also allow the attacker to execute arbitrary code, potentially leading to full system compromise depending on the environment and privileges of the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing hashcat usage and inspecting Kerberos hash files for crafted or excessively long account_info fields that could trigger the heap-based buffer overflow.
Specifically, detection involves checking if hashcat version 7.1.2 is in use and if any Kerberos hash files processed contain unusually long or malformed account_info fields that bypass length validation.
While no explicit commands are provided in the resources, a practical approach includes:
- Verify hashcat version: `hashcat --version`
- Search for Kerberos hash files with long account_info fields using tools like `grep` or custom scripts to identify unusually long fields.
- Monitor hashcat crashes or denial-of-service symptoms during Kerberos hash processing, which may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Stop using hashcat version 7.1.2 for processing Kerberos hashes until a patched version is available.
- Avoid processing untrusted or crafted Kerberos hash files that may contain maliciously long account_info fields.
- Monitor for updates or patches from the hashcat project addressing this heap-based buffer overflow vulnerability.
- Consider applying any available workarounds or patches proposed in community pull requests or advisories.