Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-42482 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-01 |
| Vendor | Hashcat |
| Product | Hashcat |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.
Required Actions
Update hashcat to a release newer than 7.1.2 that contains the fix. Until updated, do not use rule files from untrusted sources and avoid password candidates longer than 128 characters with the -j/-k options. In pentest/forensic workflows, treat hashcat as software potentially attacked through its inputs.
Who Is Affected?
This vulnerability affects Hashcat by the Hashcat project. Check whether your organization uses hashcat (typically pentest, red team, forensic teams) and roll out the update.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
