CVE-2026-8463: Heap Out-of-Bounds Read in Crypt::Argon2
Platform
perl
Component
crypt-argon2
Fixed in
0.031
CVE-2026-8463 describes a heap out-of-bounds read vulnerability discovered in Crypt::Argon2, a Perl module implementing the Argon2 key derivation function. This flaw arises when argon2_verify is called with empty encoded input, leading to a potential memory disclosure. The vulnerability affects versions 0.017 through 0.031 and is addressed in version 0.031.
Impact and Attack Scenarios
An attacker who can control the input to argon2_verify can trigger this vulnerability. By providing an empty encoded string, they can cause memchr to scan adjacent heap memory in search of a '$' separator byte. This could allow an attacker to read sensitive data from the heap, potentially including cryptographic keys, passwords, or other confidential information. While the direct impact is memory disclosure, the consequences could be severe depending on what data resides in the heap at the time of the read. This vulnerability highlights the importance of input validation, especially when dealing with cryptographic functions.
Exploitation Context
CVE-2026-8463 was published on 2026-05-13. Its severity is pending evaluation. No public proof-of-concept (POC) code has been publicly released as of this writing. There are no indications of active exploitation campaigns targeting this vulnerability. Refer to the Perl security mailing list and CPAN for updates and further information.
Threat Intelligence
Exploit Status
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-8463 is to upgrade to Crypt::Argon2 version 0.031 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation to prevent argon2_verify from being called with empty encoded input. This could involve checking the length of the encoded string before passing it to the function. Additionally, review application code that utilizes Crypt::Argon2 to identify potential scenarios where empty encoded input might be generated. After upgrading, confirm the fix by attempting to trigger the vulnerability with an empty encoded string and verifying that it no longer results in a crash or memory disclosure.
How to fix
Actualice el módulo Crypt::Argon2 a la versión 0.031 o superior para corregir la vulnerabilidad de lectura fuera de límites en la memoria del heap. Esto se puede hacer utilizando el gestor de paquetes cpan (cpan Crypt::Argon2) o mediante el sistema de gestión de dependencias de su proyecto.
Frequently asked questions
What is CVE-2026-8463 — Heap Out-of-Bounds Read in Crypt::Argon2?
CVE-2026-8463 is a vulnerability in Crypt::Argon2 for Perl where empty encoded input can trigger a heap out-of-bounds read, potentially exposing memory contents. It affects versions 0.017 through 0.031.
Am I affected by CVE-2026-8463 in Crypt::Argon2?
You are affected if your system uses Crypt::Argon2 version 0.017, 0.020-0.030. Check your version with perl -MCrypt::Argon2 -e 'print $Crypt::Argon2::VERSION;'.
How do I fix CVE-2026-8463 in Crypt::Argon2?
Upgrade to Crypt::Argon2 version 0.031 or later. If immediate upgrade is not possible, implement input validation to prevent empty encoded input to argon2_verify.
Is CVE-2026-8463 being actively exploited?
There are currently no public reports or indications of active exploitation campaigns targeting CVE-2026-8463.
Where can I find the official Crypt::Argon2 advisory for CVE-2026-8463?
Refer to the Perl security mailing list and CPAN for the official advisory and updates related to CVE-2026-8463.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...