Three buffer overflow vulnerabilities have been disclosed in Hashcat — the widely-deployed open-source password recovery tool used in penetration testing, red teaming, and enterprise password auditing workflows. The vulnerabilities, assigned CVE-2026-42482, CVE-2026-42483, and CVE-2026-42484, were discovered by security researchers and reported via responsible disclosure. Fixed versions have been published.
Vulnerability Details
The three CVEs affect Hashcat versions prior to 7.2.0 and share a common class of root cause: insufficient bounds checking when processing external input.
CVE-2026-42482 — A heap buffer overflow in Hashcat’s binary hash file parser. Maliciously crafted .hcmask wordlists or binary hash files can trigger an out-of-bounds write to heap memory. CVSS 7.8, HIGH.
CVE-2026-42483 — A stack buffer overflow in the rule engine parser triggered by rule files with specially crafted function chain sequences. CVSS 7.8, HIGH.
CVE-2026-42484 — An integer overflow in the potfile (.pot) parser that can lead to a heap overflow when processing large potfile entries from untrusted sources. CVSS 7.2, HIGH.
None of the three CVEs have confirmed exploitation in the wild as of the disclosure date. Fixes are present in Hashcat 7.2.0, released 2 May 2026.
Who Is Affected
The impacted environments are specifically those where Hashcat processes input files from untrusted or semi-trusted sources:
Shared penetration testing infrastructure: Many red teams and managed security service providers operate shared Hashcat servers that multiple analysts submit cracking jobs to. A compromised analyst account, a malicious customer-provided file, or a poisoned shared wordlist repository could deliver malicious input to the shared service, potentially compromising the server and all client data accessible from it.
Automated password auditing pipelines: Organisations running automated Active Directory password quality assessments — where NTDS.dit exports are periodically processed by Hashcat — have pipeline components that handle hash files programmatically. Automated pipelines that fetch rule files or mask files from shared repositories introduce the attack surface CVE-2026-42483 targets.
CTF and challenge infrastructure: Capture-the-flag platforms and training environments that allow users to submit hash files for processing are directly in scope for CVE-2026-42482.
Individual security practitioner workstations: Security professionals who use Hashcat against hash files or wordlists sourced from public repositories, Pastebin, or client-provided material should be aware that those files are now a potential code execution vector if Hashcat is not updated.
Why Security Tool Vulnerabilities Warrant Attention
The security industry has a documented tendency to under-patch its own tooling. Hashcat, Metasploit, Burp Suite, Nessus, and other security tools run with elevated privileges in sensitive environments — often on the same systems that store client assessment data, penetration test credentials, and internal infrastructure access. A compromise of a penetration tester’s workstation via their own toolchain is a recurring attack pattern: threat actors have historically targeted security firms and red team infrastructure precisely because the access is broad and the tooling is trusted.
CVE-2026-42482 through 42484 do not individually represent a catastrophic risk — they require delivery of malicious input, which limits mass exploitation. However, in the specific context of shared assessment infrastructure, the risk profile is higher than the CVSS score alone suggests.
Recommended Actions
- Update Hashcat to 7.2.0 or later immediately — the fixed version is available from the official Hashcat GitHub releases page; the fix addresses all three CVEs.
- Audit shared Hashcat deployment configurations — review access to shared cracking servers, confirm that job submissions are limited to authenticated internal users, and verify that no external-facing endpoints accept arbitrary hash or rule file uploads.
- Vet wordlists and rule files at ingestion — automated pipelines that pull files from external sources should validate file size and format before passing to Hashcat; at minimum, size-limit rule files and mask files to prevent triggering the integer overflow in CVE-2026-42484.
- Apply principle of least privilege to Hashcat processes — Hashcat should run as a non-root, non-admin service account with access restricted to the specific directories required for hash input and output. Running Hashcat as a privileged user on a shared server significantly amplifies the blast radius of any exploitation.
The Hashcat maintainers have handled this responsibly — the fixes were developed in collaboration with the reporting researchers and are available ahead of broad publication of exploit details.
Share this article