External risk intelligence

Hashcat could allow an internal attacker to crash the application or take system control

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-42484

By processing a malicious file, an internal attacker can cause Hashcat to stop working, resulting in service disruption. This flaw also allows the attacker to execute unauthorized commands, giving them full control over the system.

1Halo Surface Signal

Out-of-bounds Write

Hashcat

7.1.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-42484

Hashcat is a command-line password recovery utility typically operated locally or within internal infrastructure. It is not an internet-facing gateway, web service, or remote access application. Its function requires processing specific input files, which is a local or internal activity rather than a public-facing network service exposed to the internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in hashcat's PKZIP hash parser that could allow an attacker to disrupt services or potentially gain control of a system. This issue arises from improper handling of input data when converting hex to binary.

  • Affects systems running hashcat.
  • Can lead to denial of service or code execution.
  • Attack requires processing a crafted file.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by tricking a user into processing a specially crafted PKZIP hash file with hashcat version 7.1.2. This crafted file would trigger a heap-based buffer overflow when the hex-to-binary function attempts to decode attacker-controlled data into a fixed-size buffer. Successful exploitation could lead to denial of service or the execution of arbitrary code.

  • Requires user to run vulnerable hashcat.
  • Targets PKZIP hash parsing functionality.
  • Exploitation depends on specific hash modules.

Live Threat

Current exploitation, exposure, and threat context

This heap-based buffer overflow in hashcat's PKZIP parser could be weaponized for denial of service or arbitrary code execution. Attackers may find this vulnerability appealing due to its critical severity and potential for code execution, especially if exploitation proves straightforward. However, hashcat's primary use as a local password cracking tool might limit its appeal for widespread, automated attacks compared to internet-facing vulnerabilities.

  • Exploitation is possible via crafted hash files.
  • No public exploit or KEV signals observed.
  • Vulnerability published recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and isolating any systems processing PKZIP hash files with hashcat version 7.1.2, as this critical vulnerability could allow unauthenticated attackers to achieve arbitrary code execution. Review logs for unusual processing of PKZIP hashes and investigate any suspicious activity.

  • Block network access to affected hashcat instances.
  • Update hashcat to a patched version when available.
  • Monitor for signs of unauthorized code execution.

Frequently asked questions

What is hashcat and what is it used for?

Hashcat is a command-line utility designed for password recovery. It is commonly used to crack passwords by testing them against various hashing algorithms, such as those found in PKZIP archives. People often use it for security audits and to recover forgotten passwords.

What is the vulnerability in hashcat version 7.1.2?

The vulnerability, identified as CVE-2026-42484, is a heap-based buffer overflow in the hex-to-binary conversion process within hashcat's PKZIP hash parser. This weakness arises when the software decodes user-supplied hex data into a buffer without adequate length checks, potentially leading to crashes or code execution.

How can an attacker exploit this hashcat vulnerability?

An attacker could exploit this by presenting a specially crafted PKZIP hash file to a user running hashcat version 7.1.2. The attacker does not need any special privileges or user interaction beyond convincing the victim to process this malicious file. Processing this file triggers the buffer overflow.

Who should be concerned about this hashcat vulnerability?

Organizations and individuals using hashcat version 7.1.2 to process PKZIP hash files should be concerned. Since hashcat is typically used locally or within internal networks rather than being internet-facing, the risk is primarily from internal threats or if a user is tricked into processing a malicious file.

What is the first step to respond to this hashcat threat?

The immediate first step is to identify all systems running hashcat version 7.1.2. If systems are found to be vulnerable, consider isolating them or restricting their ability to process PKZIP hash files until a patched version of hashcat can be applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished