External risk intelligence

Hashcat could allow an internal attacker to take control of the system.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-42482

Hashcat contains a vulnerability that allows an internal attacker to run unauthorized commands or crash the application. This could result in a full compromise of the machine performing password cracking tasks.

1Halo Surface Signal

Out-of-bounds Write

Hashcat

7.1.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-42482

Hashcat is a local command-line password cracking utility, not a network-facing service. It runs locally on a workstation to process user-provided files or command-line inputs. It lacks any network listener or public-facing interface. Exploitation requires local execution or the processing of untrusted files, making it highly unlikely to be reached directly from the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A flaw in hashcat's rule processing can lead to crashes or code execution. This issue arises when converting password bytes to hexadecimal, causing a buffer overflow if password candidates are 128 characters or longer.

  • Can crash the application.
  • May allow code execution.
  • Affects password cracking tools.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by crafting a malicious rule file or using specific command-line options with very long password candidates. This could lead to a denial-of-service condition or potentially allow arbitrary code execution on the victim's machine when the vulnerable hashcat version processes the crafted input.

  • Requires local execution.
  • Targets hashcat's rule processing.
  • Uses long password candidates.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in hashcat is unlikely to be weaponized by external attackers. Hashcat is a local password cracking tool, meaning exploitation requires direct local access or the processing of malicious files by a user. There's no network-facing component that would enable remote exploitation.

  • Primarily a local exploitation vector.
  • Requires user interaction or file processing.
  • No observed public exploit.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and isolating any hashcat instances that process external or untrusted rule files or password candidates exceeding 128 characters. Given the critical severity and potential for arbitrary code execution, immediate containment is crucial if such usage is detected.

  • Block or restrict execution of hashcat.
  • Monitor for hashcat processes with long password candidates.
  • Update hashcat to a version addressing the buffer overflow.

Frequently asked questions

What is the primary function of hashcat and how does CVE-2026-42482 impact it?

Hashcat is a password cracking utility. CVE-2026-42482 exploits a stack-based buffer overflow in its rule processing functions, mangle_to_hex_lower() and mangle_to_hex_upper(). This flaw can lead to a denial of service or potentially arbitrary code execution when hashcat processes crafted rule files or uses specific command-line options with password candidates of 128 characters or more.

How does the buffer overflow vulnerability in hashcat (CVE-2026-42482) occur?

The vulnerability, identified as CWE-787 and CWE-121, stems from a bounds check in hashcat's `mangle_to_hex_lower()` and `mangle_to_hex_upper()` functions within `src/rp_cpu.c`. This check fails to account for the twofold expansion that happens when password bytes are converted to their hexadecimal representation, leading to a buffer overflow when processing long password candidates.

What is the attack vector and scope of impact for CVE-2026-42482 in hashcat?

The attack vector is network (AV:N), the attacker access is none (PR:N), and user interaction is none (UI:N), with scope remaining unchanged (S:U). This allows for a critical impact on confidentiality (C:H), integrity (I:H), and availability (A:H) if exploited. The vulnerability requires an attacker to provide a crafted rule file or utilize specific command-line options with lengthy password candidates to trigger the overflow.

What is the threat advisory for CVE-2026-42482 concerning hashcat?

Hashcat is a local, command-line password cracking tool and does not have any network-facing interfaces. Exploitation requires local execution or the processing of untrusted files. Therefore, it is highly unlikely to be reached directly from the public internet, making the threat advisory 'Very unlikely' with a score of 1.

What practical steps should be taken to mitigate the risks associated with CVE-2026-42482?

To mitigate this vulnerability, organizations should identify and isolate any hashcat instances processing external or untrusted rule files or password candidates exceeding 128 characters. It is crucial to block or restrict the execution of hashcat where possible and monitor for its processes, especially those handling long password candidates. Updating hashcat to a version that addresses this buffer overflow is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished