Cyber Resilience

CVE-2026-42483

CriticalPublic PoC

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 22.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42483 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Hashcat Hashcat. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42483 is a heap-based buffer overflow vulnerability (CWE-787, CWE-122) in the Kerberos hash parser of hashcat version 7.1.2. The issue affects the module_hash_decode function in multiple Kerberos-related modules, where the account_info_len value is calculated from untrusted delimiter positions in a crafted input without upper-bound validation. This leads to an unchecked memcpy operation that copies data into a fixed-size account_info buffer, enabling potential memory corruption.

The vulnerability can be exploited by any unauthenticated attacker over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By providing a malicious Kerberos hash file to a hashcat instance processing it—such as during password cracking workflows—the attacker can trigger a denial of service crash or, in some cases, achieve arbitrary code execution with the privileges of the hashcat process.

References for the vulnerability are available at https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f, which may include proof-of-concept details or further analysis. No specific patch or mitigation guidance is provided in the CVE description.

EU & UK References

Vulnerability details

A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects module_hash_decode in multiple Kerberos-related modules…

more

because account_info_len is calculated from untrusted delimiter positions without upper-bound validation before memcpy copies the data into a fixed-size account_info buffer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in hashcat client application enables exploitation for arbitrary code execution via crafted input file with no user interaction required.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42484Same product: Hashcat Hashcat
CVE-2026-42482Same product: Hashcat Hashcat
CVE-2026-5403Shared CWE-122, CWE-787
CVE-2024-55192Shared CWE-122, CWE-787
CVE-2026-5405Shared CWE-122, CWE-787
CVE-2025-27091Shared CWE-122, CWE-787
CVE-2026-42046Shared CWE-122, CWE-787
CVE-2025-21266Shared CWE-122
CVE-2026-25713Shared CWE-122
CVE-2016-20046Shared CWE-787

Affected Assets

hashcat
hashcat
7.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the buffer overflow vulnerability by requiring timely patching or upgrading of vulnerable hashcat versions to eliminate the unchecked memcpy operation.

prevent

Memory protection mechanisms such as ASLR, DEP, and heap hardening comprehensively mitigate exploitation of the heap-based buffer overflow for arbitrary code execution or DoS.

prevent

Information input validation requires bounds checking and sanitization of crafted Kerberos hash files before processing by hashcat's vulnerable parser.

References