CVE-2026-8463 Overview
CVE-2026-8463 is a heap out-of-bounds read vulnerability in the Crypt::Argon2 Perl module, affecting versions from 0.017 before 0.031. The flaw resides in the auto-detect form of argon2_verify, which fails to validate that the encoded input length is non-zero before performing pointer arithmetic. When an empty encoded string is supplied, a size_t subtraction underflows to SIZE_MAX, causing memchr to scan adjacent heap memory.
Applications that call argon2_verify against potentially empty stored hashes — such as placeholder rows or NULL columns materialized as empty strings — can crash or leak byte position information from adjacent heap memory.
Critical Impact
Attackers who can submit empty encoded hash input to argon2_verify trigger out-of-bounds heap reads, causing process crashes or limited heap memory information disclosure.
Affected Products
- Leont Crypt::Argon2 for Perl, versions 0.017 through 0.030
- Perl applications calling the auto-detect form of argon2_verify
- Downstream packages bundling vulnerable Crypt::Argon2 releases from CPAN
Discovery Timeline
- 2026-05-13 - CVE-2026-8463 published to NVD
- 2026-05-13 - Last updated in NVD database
- 2026-05-13 - Disclosure posted to the OpenWall oss-security mailing list
Technical Details for CVE-2026-8463
Vulnerability Analysis
The vulnerability is classified as a buffer over-read [CWE-126]. The argon2_verify function in lib/Crypt/Argon2.xs parses an encoded Argon2 hash string to auto-detect the variant (argon2i, argon2d, or argon2id) by locating the second $ separator. The implementation calls memchr(encoded_raw + 1, '$', encoded_len - 1) without first verifying that encoded_len is greater than zero.
When encoded_len equals zero, the expression encoded_len - 1 underflows to SIZE_MAX because encoded_len is an unsigned size_t. The memchr call then scans up to SIZE_MAX bytes starting one byte past the empty buffer, reading uninitialized heap memory.
The consequences are limited to availability and partial information disclosure. A crash terminates the calling Perl process, and the position where memchr finds a $ byte can influence subsequent parsing, potentially leaking the relative offset of that byte in adjacent heap allocations.
Root Cause
The root cause is missing input validation on the length parameter passed to a memory-scanning primitive. The XS code assumed encoded_len would be at least one byte but did not enforce this precondition before performing unsigned arithmetic.
Attack Vector
Exploitation requires that a caller pass an empty string to argon2_verify. This commonly occurs when a stored password hash column contains an empty string, NULL coerced to empty, or a placeholder for accounts that have not yet set a password. The attack vector is network-adjacent when authentication flows accept user-controlled identifiers that map to such rows.
// Patch in lib/Crypt/Argon2.xs - CVE-2026-8463 fix
CODE:
encoded_raw = SvPVbyte(encoded, encoded_len);
if (ix == 4) {
- const char* second_dollar = memchr(encoded_raw + 1, '$', encoded_len - 1);
+ const char* second_dollar = encoded_len ? memchr(encoded_raw + 1, '$', encoded_len - 1) : NULL;
+ if (!second_dollar)
+ Perl_croak(aTHX_ "Could not detect argon2 type: missing '$' separator");
ix = find_argon2_type(encoded_raw + 1, second_dollar - encoded_raw - 1);
}
password_raw = SvPVbyte(password, password_len);
Source: GitHub commit 92eac03. The patch adds a ternary guard to return NULL when encoded_len is zero and croaks with an explicit error when no second $ separator is found.
Detection Methods for CVE-2026-8463
Indicators of Compromise
- Unexpected Perl process crashes or SIGSEGV signals originating from authentication code paths invoking Crypt::Argon2
- Application logs showing argon2_verify calls immediately preceding worker termination or core dumps
- Authentication attempts against accounts whose stored hash column is empty or NULL
Detection Strategies
- Inventory installed CPAN modules across servers and flag any Crypt::Argon2 installation with a version below 0.031
- Audit application code and database schemas for code paths that may pass empty strings to argon2_verify, including legacy accounts and migration artifacts
- Enable core-dump collection on Perl workers and review stack traces for frames inside Crypt::Argon2.xs
Monitoring Recommendations
- Monitor authentication services for abnormal crash rates correlated with specific usernames or empty-hash records
- Alert on repeated authentication requests targeting accounts whose password hash field is empty
- Track CPAN module versions in configuration management to detect drift from the patched 0.031 release
How to Mitigate CVE-2026-8463
Immediate Actions Required
- Upgrade Crypt::Argon2 to version 0.031 or later on all systems running Perl applications that perform password verification
- Audit authentication backends to ensure stored password hash columns are not empty strings or NULL
- Add application-level input validation that rejects empty encoded hashes before they reach argon2_verify
Patch Information
The fix is published in Crypt::Argon20.031 on CPAN. The patch is available in the upstream repository as commit 92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64. Release notes are documented in the MetaCPAN Changes log.
Workarounds
- Wrap calls to argon2_verify with a length check that returns failure when the encoded hash is empty
- Use the explicit-variant forms of verification (e.g., argon2id_verify) instead of the auto-detect form where the hash algorithm is known
- Enforce database constraints that prohibit empty or NULL values in password hash columns
# Upgrade Crypt::Argon2 to the patched release
cpanm Crypt::Argon2@0.031
# Verify the installed version
perl -MCrypt::Argon2 -E 'say $Crypt::Argon2::VERSION'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
