PT-2026-40603 · Leont+3 · Crypt::Argon2+2

Published

2026-05-13

·

Updated

2026-06-05

·

CVE-2026-8463

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions Crypt::Argon2 versions 0.017 through 0.030
Description A heap out-of-bounds read occurs in the argon2 verify() function when processing empty encoded input. The auto-detect form of argon2 verify() passes encoded len - 1 as the length argument to memchr() without verifying that encoded len is non-zero. If the encoded string is empty, the size t subtraction underflows to SIZE MAX, causing memchr() to scan adjacent heap memory for a '$' separator byte. This can lead to process crashes or the leakage of the position of an adjacent '$' byte during subsequent parsing when the function is invoked against an empty stored hash.
Recommendations Update to version 0.031.

Exploit

Fix

DoS

Integer Underflow

Buffer Over-read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8463

Affected Products

Crypt::Argon2
Crypt
Libcrypt-Argon2-Perl