Fluid Attacks Database

Description

A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects module_hash_decode in multiple Kerberos-related modules because account_info_len is calculated from untrusted delimiter positions without upper-bound validation before memcpy copies the data into a fixed-size account_info buffer.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 14	hashcat	=6.2.6+ds2-1 \|\| =7.1.2+ds1-1 \|\| =7.1.2+ds1-2 \|\| =7.1.2+ds1-3 \|\| =7.1.2+ds1-4
debian 12	hashcat	=6.2.6+ds1-1 \|\| =6.2.6+ds2-1 \|\| =7.1.2+ds1-1 \|\| =7.1.2+ds1-2 \|\| =7.1.2+ds1-3 \|\| =7.1.2+ds1-4
debian 11	hashcat	=6.1.1+ds1-1 \|\| =6.2.5+ds1-1 \|\| =6.2.5+ds1-2 \|\| =6.2.6+ds1-1 \|\| =6.2.6+ds2-1 \|\| =7.1.2+ds1-1 \|\| =7.1.2+ds1-2 \|\| =7.1.2+ds1-3 \|\| =7.1.2+ds1-4
debian 13	hashcat	=6.2.6+ds2-1 \|\| =7.1.2+ds1-1 \|\| =7.1.2+ds1-2 \|\| =7.1.2+ds1-3 \|\| =7.1.2+ds1-4

Aliases

1. CVE-2026-424832. NVD-2026-424833. OSV-DEBIAN-2026-424834. OSV-2026-424835. SECURITY-TRACKER-CVE-2026-42483

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.