PT-2026-40603 · Leont+3 · Crypt::Argon2+2
Published
2026-05-13
·
Updated
2026-06-05
·
CVE-2026-8463
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Crypt::Argon2 versions 0.017 through 0.030
Description
A heap out-of-bounds read occurs in the
argon2 verify() function when processing empty encoded input. The auto-detect form of argon2 verify() passes encoded len - 1 as the length argument to memchr() without verifying that encoded len is non-zero. If the encoded string is empty, the size t subtraction underflows to SIZE MAX, causing memchr() to scan adjacent heap memory for a '$' separator byte. This can lead to process crashes or the leakage of the position of an adjacent '$' byte during subsequent parsing when the function is invoked against an empty stored hash.Recommendations
Update to version 0.031.
Exploit
Fix
DoS
Integer Underflow
Buffer Over-read
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Crypt::Argon2
Crypt
Libcrypt-Argon2-Perl