#1136004 hashcat: CVE-2026-42482 CVE-2026-42483 CVE-2026-42484

Package:
src:hashcat
Source:
src:hashcat
Submitter:
Moritz Mühlenhoff
Date:
2026-05-08 13:27:03 UTC
Severity:
normal
Tags:
#1136004#5
Date:
2026-05-08 13:20:22 UTC
From:
To:
Hi,

The following vulnerabilities were published for hashcat.

CVE-2026-42482[0]:
| A stack-based buffer overflow in mangle_to_hex_lower() and
| mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an
| attacker to cause a denial of service or possibly execute arbitrary
| code via a crafted rule file, or via the -j or -k rule options used
| with password candidates of 128 or more characters. The
| vulnerability is caused by a bounds check that fails to account for
| the 2x expansion that occurs when password bytes are converted to
| hexadecimal.

CVE-2026-42483[1]:
| A heap-based buffer overflow in the Kerberos hash parser in hashcat
| v7.1.2 allows an attacker to cause a denial of service or possibly
| execute arbitrary code via a crafted Kerberos hash file. The issue
| affects module_hash_decode in multiple Kerberos-related modules
| because account_info_len is calculated from untrusted delimiter
| positions without upper-bound validation before memcpy copies the
| data into a fixed-size account_info buffer.

CVE-2026-42484[2]:
| A heap-based buffer overflow in hex_to_binary in the PKZIP hash
| parser in hashcat v7.1.2 allows an attacker to cause a denial of
| service or possibly execute arbitrary code via a crafted PKZIP hash
| file. The issue affects modules 17200, 17210, 17220, 17225, and
| 17230. When data_type_enum<=1, attacker-controlled hex data from a
| user-supplied hash string is decoded into a fixed-size buffer
| without proper input-length validation.

It's unclear whether this has been properly reported upstream:
https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f



If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42482
https://www.cve.org/CVERecord?id=CVE-2026-42482
[1] https://security-tracker.debian.org/tracker/CVE-2026-42483
https://www.cve.org/CVERecord?id=CVE-2026-42483
[2] https://security-tracker.debian.org/tracker/CVE-2026-42484
https://www.cve.org/CVERecord?id=CVE-2026-42484

Please adjust the affected versions in the BTS as needed.