{"id":"CVE-2026-8463","summary":"Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input","details":"Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input.\n\nThe auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte.\n\nA caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing.","modified":"2026-07-15T01:49:10.684520009Z","published":"2026-05-13T12:40:35.917Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8463.json","cna_assigner":"CPANSec","cwe_ids":["CWE-126","CWE-191"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/13/4"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8463.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/LEONT/Crypt-Argon2-0.031/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8463"},{"type":"FIX","url":"https://github.com/Leont/crypt-argon2/commit/92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64.patch"},{"type":"PACKAGE","url":"https://github.com/Leont/crypt-argon2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/leont/crypt-argon2","events":[{"introduced":"e3d1915374f7d33589ddaf70683a09e953084e45"},{"fixed":"6179de940f95ce7de6e3ca3407a981b4eee9ee64"},{"fixed":"92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64"}],"database_specific":{"cpe":"cpe:2.3:a:leont:crypt\\:\\:argon2:*:*:*:*:*:perl:*:*","extracted_events":[{"introduced":"0.017"},{"fixed":"0.031"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["v0.030","v0.029","v0.028","v0.027","v0.026","v0.025","v0.024","v0.023","v0.022","v0.021","v0.020","v0.019","v0.018","v0.017"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8463.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}