CVE-2026-42484
Published: 01 May 2026
Summary
CVE-2026-42484 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Hashcat Hashcat. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the buffer overflow in hashcat v7.1.2 by requiring patches or upgrades to eliminate the vulnerability in the PKZIP hash parser.
Memory protection controls like ASLR and DEP prevent arbitrary code execution from heap-based buffer overflows in vulnerable hashcat modules.
Information input validation enforces length checks on attacker-supplied hex data in PKZIP hash files, directly mitigating the lack of bounds checking in hex_to_binary.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in hashcat client tool's PKZIP hash parser allows RCE via crafted input file with no privileges or UI required, directly enabling exploitation for client execution to achieve arbitrary code execution.
NVD Description
A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210,…
more
17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.
Deeper analysisAI
CVE-2026-42484 is a heap-based buffer overflow vulnerability (CWE-787) in the hex_to_binary function of the PKZIP hash parser in hashcat version 7.1.2. It affects modules 17200, 17210, 17220, 17225, and 17230. The flaw occurs when data_type_enum is less than or equal to 1, allowing attacker-controlled hexadecimal data from a user-supplied hash string to be decoded into a fixed-size buffer without proper input length validation. The vulnerability was published on 2026-05-01 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An attacker can exploit this issue by supplying a crafted PKZIP hash file to a vulnerable hashcat instance. No privileges, user interaction, or special access are required, and attacks can originate over a network with low complexity. Successful exploitation enables denial of service or potentially arbitrary code execution.
Details on the vulnerability, including proof-of-concept information, are provided in the referenced GitHub Gist at https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f. No specific patch or mitigation guidance is detailed in the available CVE information.
Details
- CWE(s)