CVE-2026-42484 Overview
CVE-2026-42484 is a heap-based buffer overflow [CWE-787] in the hex_to_binary function within the PKZIP hash parser of Hashcat v7.1.2. The flaw affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without input-length validation. A crafted PKZIP hash file can trigger memory corruption that leads to denial of service or arbitrary code execution.
Critical Impact
Processing a malicious PKZIP hash file with a vulnerable Hashcat build can corrupt heap memory and may enable arbitrary code execution in the context of the user running Hashcat.
Affected Products
- Hashcat 7.1.2
- PKZIP hash modules 17200, 17210, 17220, 17225, 17230
- Workflows that ingest untrusted .hash files into Hashcat
Discovery Timeline
- 2026-05-01 - CVE-2026-42484 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-42484
Vulnerability Analysis
The vulnerability resides in the hex_to_binary routine used by the PKZIP hash parser. Hashcat decodes hex-encoded fields from a user-supplied hash string into a fixed-size heap buffer. The parser does not validate the input length against the destination buffer when data_type_enum<=1. An oversized hex payload writes past the end of the allocation, corrupting adjacent heap metadata and chunks.
Because Hashcat is widely used in incident response, CTF, and red team workflows, analysts frequently consume hash files received from third parties. Loading a malicious PKZIP hash into a vulnerable build is sufficient to trigger the overflow without further interaction. The CWE classification [CWE-787] reflects an out-of-bounds write primitive that can be steered toward code execution depending on heap layout and compiler hardening.
Root Cause
The root cause is missing input-length validation in hex_to_binary for PKZIP module variants. The function trusts the length of the attacker-supplied hex string and decodes it directly into a statically sized destination, violating the buffer's allocation contract.
Attack Vector
Exploitation requires the victim to load a crafted PKZIP hash file in Hashcat 7.1.2 using one of the affected modules. The attack vector is classified as network because the malicious hash file can be delivered through standard file-sharing channels and processed by automated pipelines that feed Hashcat. No authentication or user privilege is required on the target system beyond running Hashcat against the hostile input.
No public proof-of-concept exploit has been published in Exploit-DB, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. A technical write-up is available in the GitHub Gist PoC.
Detection Methods for CVE-2026-42484
Indicators of Compromise
- PKZIP hash files containing abnormally long hex fields beyond the documented PKZIP hash format length.
- Hashcat process crashes, SIGSEGV, or glibc heap corruption messages such as malloc(): corrupted top size shortly after loading a .hash file.
- Unexpected child processes spawned by hashcat or hashcat.bin during hash loading.
Detection Strategies
- Inspect PKZIP hash strings before processing and reject entries whose hex segments exceed the expected PKZIP field sizes.
- Run Hashcat under AddressSanitizer or Valgrind in test environments to surface out-of-bounds writes during hash parsing.
- Hunt for Hashcat invocations referencing modules 17200, 17210, 17220, 17225, or 17230 against externally sourced hash files.
Monitoring Recommendations
- Log command-line arguments for hashcat executions, including -m module values and input file paths, on shared cracking hosts.
- Alert on Hashcat process termination by signal or non-zero exit codes correlated with newly received hash files.
- Monitor file ingress to cracking servers and quarantine PKZIP hash files originating from untrusted sources for review.
How to Mitigate CVE-2026-42484
Immediate Actions Required
- Stop processing untrusted PKZIP hash files with Hashcat 7.1.2 until a fixed release is installed.
- Restrict execution of Hashcat to dedicated, non-privileged accounts on isolated cracking hosts.
- Review automated pipelines that pass third-party hash files into Hashcat and add length validation upstream.
Patch Information
No fixed Hashcat release was referenced in the NVD entry at publication. Track the Hashcat advisory and PoC reference and upstream Hashcat repository for an updated build that adds bounds checking in hex_to_binary for the affected PKZIP modules.
Workarounds
- Avoid using PKZIP modules 17200, 17210, 17220, 17225, and 17230 against externally sourced hash files.
- Pre-validate PKZIP hash entries with a parser that enforces field length limits before passing data to Hashcat.
- Execute Hashcat inside a container or VM with no network egress and minimal filesystem access to contain the impact of memory corruption.
# Example: reject PKZIP hash lines whose hex segments exceed a sane upper bound
awk -F'*' 'NF<8 || length($8) <= 8192' suspect.hash > vetted.hash
hashcat -m 17200 vetted.hash wordlist.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
