Cyber Resilience

CVE-2026-42484

CriticalPublic PoC

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42484 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Hashcat Hashcat. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-42484 is a heap-based buffer overflow vulnerability (CWE-787) in the hex_to_binary function of the PKZIP hash parser in hashcat version 7.1.2. It affects modules 17200, 17210, 17220, 17225, and 17230. The flaw occurs when data_type_enum is less than or equal to 1, allowing attacker-controlled hexadecimal data from a user-supplied hash string to be decoded into a fixed-size buffer without proper input length validation. The vulnerability was published on 2026-05-01 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker can exploit this issue by supplying a crafted PKZIP hash file to a vulnerable hashcat instance. No privileges, user interaction, or special access are required, and attacks can originate over a network with low complexity. Successful exploitation enables denial of service or potentially arbitrary code execution.

Details on the vulnerability, including proof-of-concept information, are provided in the referenced GitHub Gist at https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f. No specific patch or mitigation guidance is detailed in the available CVE information.

EU & UK References

Vulnerability details

A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210,…

more

17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap-based buffer overflow in hashcat client tool's PKZIP hash parser allows RCE via crafted input file with no privileges or UI required, directly enabling exploitation for client execution to achieve arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42483Same product: Hashcat Hashcat
CVE-2026-42482Same product: Hashcat Hashcat
CVE-2019-25705Shared CWE-787
CVE-2019-25633Shared CWE-787
CVE-2026-0538Shared CWE-787
CVE-2016-20046Shared CWE-787
CVE-2019-25628Shared CWE-787
CVE-2019-25695Shared CWE-787
CVE-2018-25218Shared CWE-787
CVE-2019-25612Shared CWE-787

Affected Assets

hashcat
hashcat
7.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the buffer overflow in hashcat v7.1.2 by requiring patches or upgrades to eliminate the vulnerability in the PKZIP hash parser.

prevent

Memory protection controls like ASLR and DEP prevent arbitrary code execution from heap-based buffer overflows in vulnerable hashcat modules.

prevent

Information input validation enforces length checks on attacker-supplied hex data in PKZIP hash files, directly mitigating the lack of bounds checking in hex_to_binary.

References