CVE-2026-8463

NameCVE-2026-8463
DescriptionCrypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte. A caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcrypt-argon2-perl (PTS)bookworm0.013-1vulnerable
trixie0.030-1vulnerable
forky, sid0.031-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcrypt-argon2-perlsource(unstable)0.031-1

Notes

[trixie] - libcrypt-argon2-perl <no-dsa> (Minor issue)
[bookworm] - libcrypt-argon2-perl <no-dsa> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/40006926/
https://github.com/Leont/crypt-argon2/commit/92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64 (v0.031)
Search for package or bug name: Reporting problems