Cyber Resilience

CVE-2026-42482

CriticalPublic PoC

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 32.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42482 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Hashcat Hashcat. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-42482 is a stack-based buffer overflow vulnerability affecting hashcat version 7.1.2, specifically in the mangle_to_hex_lower() and mangle_to_hex_upper() functions within src/rp_cpu.c. The flaw stems from a bounds check that fails to account for the 2x expansion in size when password bytes are converted to hexadecimal representation, as classified under CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

The vulnerability can be exploited by any attacker who can supply input to hashcat, such as through a crafted rule file or by invoking the -j or -k rule options alongside password candidates of 128 or more characters. Exploitation enables denial of service via crash or, potentially, arbitrary code execution, depending on the attacker's control over the input and the system's protections.

Mitigation details are available in the referenced advisory at https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f, published on 2026-05-01.

EU & UK References

Vulnerability details

A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options…

more

used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The stack-based buffer overflow in hashcat allows arbitrary code execution (or DoS) via crafted rule file or command-line input to the client application, directly mapping to exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42484Same product: Hashcat Hashcat
CVE-2026-42483Same product: Hashcat Hashcat
CVE-2026-39853Shared CWE-121, CWE-787
CVE-2024-20154Shared CWE-121, CWE-787
CVE-2025-66048Shared CWE-121, CWE-787
CVE-2026-30929Shared CWE-121, CWE-787
CVE-2025-1594Shared CWE-121, CWE-787
CVE-2025-0840Shared CWE-121, CWE-787
CVE-2016-20046Shared CWE-787
CVE-2025-54480Shared CWE-121

Affected Assets

hashcat
hashcat
7.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the buffer overflow vulnerability in hashcat by applying patches to fix the bounds check failure in mangle_to_hex functions.

prevent

Memory protection safeguards such as stack canaries and DEP prevent arbitrary code execution from the stack-based buffer overflow triggered by crafted rule files or long password candidates.

prevent

Information input validation at entry points enforces bounds checks accounting for hex expansion, preventing overflows from oversized rule files or -j/-k password candidates.

References