CVE-2026-8463

216.73.217.22

· Published 13/05/2026 14:18 · Modified 13/05/2026 19:23

Labels: CVE-2026-8463 2026-05-13 9b29abf9-4ab0-4765-b253-1875cd9b441e CVE-2026-8463 CWE-126

Essential information

Published: 13/05/2026 14:18
Modified: 13/05/2026 19:23
Author: —
Creator: —
CVSS: 5.3 MEDIUM (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS metrics

Description

Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte. A caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing.

NVD status

Status: Analyzed — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
NVD: View on NVD

Affected products (CPE)

Product	CPE
leont / crypt\	`cpe:2.3:a:leont:crypt\:\:argon2::::::perl::*`