Fluid Attacks Database

Description

A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 12	hashcat	=6.2.6+ds1-1 \|\| =6.2.6+ds2-1 \|\| =7.1.2+ds1-1 \|\| =7.1.2+ds1-2 \|\| =7.1.2+ds1-3 \|\| =7.1.2+ds1-4
debian 11	hashcat	=6.1.1+ds1-1 \|\| =6.2.5+ds1-1 \|\| =6.2.5+ds1-2 \|\| =6.2.6+ds1-1 \|\| =6.2.6+ds2-1 \|\| =7.1.2+ds1-1 \|\| =7.1.2+ds1-2 \|\| =7.1.2+ds1-3 \|\| =7.1.2+ds1-4
debian 13	hashcat	=6.2.6+ds2-1 \|\| =7.1.2+ds1-1 \|\| =7.1.2+ds1-2 \|\| =7.1.2+ds1-3 \|\| =7.1.2+ds1-4
debian 14	hashcat	=6.2.6+ds2-1 \|\| =7.1.2+ds1-1 \|\| =7.1.2+ds1-2 \|\| =7.1.2+ds1-3 \|\| =7.1.2+ds1-4

Aliases

1. CVE-2026-424842. NVD-2026-424843. OSV-DEBIAN-2026-424844. OSV-2026-424845. SECURITY-TRACKER-CVE-2026-42484

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.