Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-42484 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-01 |
| Vendor | Hashcat |
| Product | Hashcat |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.
Required Actions
Update hashcat to a release newer than 7.1.2 that contains the fix. Until updated, do not load PKZIP hash files from untrusted sources and avoid using modules 17200, 17210, 17220, 17225, 17230 with unverified data. As with other hashcat issues, consider isolating the tool (container/VM).
Who Is Affected?
This vulnerability affects Hashcat by the Hashcat project. Check whether your organization uses hashcat to process PKZIP hashes and roll out the update.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
