CVE-2026-42484 - Vulnerability Details

A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f

History

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.
References		https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-01T00:00:00.000Z

Updated: 2026-05-01T14:00:20.412Z

Reserved: 2026-04-27T00:00:00.000Z

Link: CVE-2026-42484

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:22.800

Modified: 2026-05-01T15:37:52.480

Link: CVE-2026-42484

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object