CVE-2026-42484
CRITICAL EPSS 35.5%
Published May 1, 20262mo ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Published May 1, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago
Description
A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
35.5% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-787 Out-of-bounds Write Memory Safety
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| hashcat | hashcat | 7.1.2 | any |
References 1
- gist.github.com https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.