CVE-2026-8463

Published: Mag 13, 2026 Last Modified: Mag 13, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input.

The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte.

A caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing.

126

Buffer Over-read

Draft
Abstraction: Variant Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Availability Integrity
Potential Impacts:
Read Memory Bypass Protection Mechanism Dos: Crash, Exit, Or Restart
Applicable Platforms
Languages: C, C++, Memory-Unsafe
View CWE Details
191

Integer Underflow (Wrap or Wraparound)

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Integrity Confidentiality Access Control
Potential Impacts:
Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Instability Modify Memory Execute Unauthorized Code Or Commands Bypass Protection Mechanism
Applicable Platforms
Languages: C, C#, C++, Java
View CWE Details
https://github.com/Leont/crypt-argon2/commit/92eac03ce63d54…
https://github.com/Leont/crypt-argon2/commit/92eac03ce63d541e0ead7ea5a89b9b67ce…
https://metacpan.org/release/LEONT/Crypt-Argon2-0.031/chang…
https://metacpan.org/release/LEONT/Crypt-Argon2-0.031/changes