hashcat heap overflow DoS or RCE (CVE-2026-42483)

Patch now - CVE-2026-42483 is a critical heap-based buffer overflow in hashcat v7.1.2 that lets an attacker cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. Patched in v7.2.0 - update immediately.

Overview

CVE-2026-42483 is a heap-based buffer overflow vulnerability in the Kerberos hash parser of hashcat, the popular password recovery tool. The flaw resides in multiple Kerberos-related modules where the function module_hash_decode processes attacker-supplied Kerberos hash files. Specifically, the account_info_len value is derived from untrusted delimiter positions without any upper-bound validation. This allows an attacker to craft a hash file where account_info_len exceeds the size of the fixed-size account_info buffer, causing a heap overflow during the subsequent memcpy operation.

Impact

A remote, unauthenticated attacker can trigger this overflow by supplying a malicious Kerberos hash file to a hashcat process. The most likely outcome is a denial of service (hashcat crash), but the vulnerability is classified as critical (CVSS 9.8) because exploitation could lead to arbitrary code execution in the context of the hashcat process. Given hashcat is often run on high-performance systems handling sensitive credential data, successful RCE would give an attacker deep access to the host machine.

Affected Versions

All deployments of hashcat v7.1.2 and earlier releases using the Kerberos hash parser are vulnerable. The flaw affects any Kerberos-related hash module that uses account_info_len in the decoding path.

Remediation

Upgrade to hashcat v7.2.0 - this release includes a fix that properly validates account_info_len against the fixed buffer size before the memcpy operation. Users unable to upgrade immediately should avoid processing Kerberos hash files from untrusted sources as a temporary mitigation.

Detection and Mitigation

There are no known indicators of compromise specific to this exploit. Organizations running hashcat for password auditing or recovery should ensure the tool is only used on trusted, internally-generated hash files. Consider running hashcat in a sandboxed or containerized environment to limit the blast radius if exploitation occurs.

Security Insight

This vulnerability follows a recurring pattern in security tools: parsers that handle user-supplied input often lack rigorous bounds checking on derived field lengths. Hashcat’s reliance on memcpy with attacker-controlled sizes reflects an older C coding style that does not prioritize memory safety. As password cracking tools are increasingly deployed in CI/CD pipelines and automated workflows against diverse file formats, vendors should migrate toward memory-safe parsing patterns or integrate static analysis to catch these overflow classes during development. The fact that a single untrusted file can crash or take over the tool underscores why security engineers should never expose hashcat (or similar utilities) to internet-facing input without isolation, regardless of the tool’s intended use case.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs