CVE-2026-42482 Overview
CVE-2026-42482 is a stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() within src/rp_cpu.c in hashcat v7.1.2. The flaw allows an attacker to trigger a denial of service or potentially execute arbitrary code. Exploitation requires a crafted rule file or use of the -j or -k rule options with password candidates of 128 or more characters. The vulnerability stems from a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal representation. The issue is tracked under [CWE-787] and [CWE-121].
Critical Impact
A crafted rule file processed by hashcat 7.1.2 can corrupt the stack and lead to arbitrary code execution in the context of the user running the tool.
Affected Products
- hashcat 7.1.2
- Deployments using -j or -k rule options with long password candidates
- Distributions and CI pipelines bundling hashcat 7.1.2
Discovery Timeline
- 2026-05-01 - CVE-2026-42482 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-42482
Vulnerability Analysis
The vulnerability resides in hashcat's rule-based candidate mutation engine. The mangle_to_hex_lower() and mangle_to_hex_upper() functions in src/rp_cpu.c convert each byte of a password candidate into two hexadecimal characters. The bounds check enforced before writing to the destination buffer compares against the input length rather than the doubled output length. When a candidate of 128 or more bytes is processed, the resulting hex-encoded output exceeds the fixed-size stack buffer. Stack memory adjacent to the buffer is overwritten, including saved registers and return addresses on architectures without stack protections.
Root Cause
The bounds check fails to account for the 2x size expansion inherent to hexadecimal encoding. Each input byte produces two output bytes, so a buffer sized for N bytes of input requires 2N bytes of output capacity. The original validation logic treats input and output capacity as equivalent, producing a classic off-by-multiple write past the end of a stack-allocated buffer.
Attack Vector
Attackers exploit the flaw by supplying a malicious rule file or by passing crafted rules through the -j (left rule) or -k (right rule) command-line options. The triggering condition is a password candidate length of 128 characters or more combined with the hex-mangling rule. Shared rule files distributed through public repositories, package archives, or red-team toolkits represent a realistic delivery channel. While CVSS labels the attack vector as network, practical exploitation requires the victim to run hashcat against attacker-controlled inputs.
No public proof-of-concept code is verified. A reference describing the issue is available at the GitHub Gist PoC Example.
Detection Methods for CVE-2026-42482
Indicators of Compromise
- Hashcat processes terminating with SIGSEGV or stack-smashing diagnostics during rule application
- Execution of hashcat 7.1.2 with -j or -k flags referencing untrusted rule files
- Rule files containing hex-mangling directives paired with wordlists containing entries 128 characters or longer
- Unexpected child processes spawned by hashcat outside its normal execution profile
Detection Strategies
- Inventory all hosts running hashcat version 7.1.2 using software asset management or endpoint telemetry
- Alert on command-line invocations of hashcat that include -j or -k with externally sourced rule files
- Capture process crash dumps from systems running hashcat to identify exploitation attempts
Monitoring Recommendations
- Forward hashcat process execution events and crash telemetry to a centralized logging platform for correlation
- Monitor file integrity on rule directories such as rules/ within hashcat installations
- Track network egress from research and password-audit workstations for anomalous post-exploitation traffic
How to Mitigate CVE-2026-42482
Immediate Actions Required
- Stop using hashcat 7.1.2 with untrusted rule files until a fixed release is installed
- Restrict execution of hashcat to vetted users on isolated, non-privileged workstations
- Validate password wordlists and reject entries 128 characters or longer when hex-mangling rules are in use
- Review existing rule files for u and l hex-conversion directives originating from untrusted sources
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Track the hashcat project and the vendor advisory reference for an official fixed release. Once published, upgrade beyond version 7.1.2 and rebuild any container images or packaging that bundle the affected binary.
Workarounds
- Run hashcat under a non-privileged user account inside a sandbox or container with no outbound network access
- Compile hashcat with stack protector flags such as -fstack-protector-strong and -D_FORTIFY_SOURCE=2
- Pre-filter candidate wordlists to remove entries with length greater than or equal to 128 characters before applying hex rules
- Disable use of -j and -k rule options when processing rule files from external sources
# Configuration example: filter long candidates and run hashcat in a constrained shell
awk 'length($0) < 128' wordlist.txt > wordlist.filtered.txt
firejail --net=none --private-tmp \
hashcat -m 0 -a 0 wordlist.filtered.txt \
--rules-file ./rules/trusted.rule
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
