CVE-2026-42482

CriticalPublic PoC

Published: 01 May 2026

Published

01 May 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42482 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Hashcat Hashcat. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly addresses the buffer overflow vulnerability in hashcat by applying patches to fix the bounds check failure in mangle_to_hex functions.

SI-16 Memory Protection good match

prevent

Memory protection safeguards such as stack canaries and DEP prevent arbitrary code execution from the stack-based buffer overflow triggered by crafted rule files or long password candidates.

SI-10 Information Input Validation good match

prevent

Information input validation at entry points enforces bounds checks accounting for hex expansion, preventing overflows from oversized rule files or -j/-k password candidates.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The stack-based buffer overflow in hashcat allows arbitrary code execution (or DoS) via crafted rule file or command-line input to the client application, directly mapping to exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options…

used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.

Deeper analysisAI

CVE-2026-42482 is a stack-based buffer overflow vulnerability affecting hashcat version 7.1.2, specifically in the mangle_to_hex_lower() and mangle_to_hex_upper() functions within src/rp_cpu.c. The flaw stems from a bounds check that fails to account for the 2x expansion in size when password bytes are converted to hexadecimal representation, as classified under CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

The vulnerability can be exploited by any attacker who can supply input to hashcat, such as through a crafted rule file or by invoking the -j or -k rule options alongside password candidates of 128 or more characters. Exploitation enables denial of service via crash or, potentially, arbitrary code execution, depending on the attacker's control over the input and the system's protections.

Mitigation details are available in the referenced advisory at https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f, published on 2026-05-01.