Heap Out-of-Bounds Read in Perl Product by Leont
CVE-2026-8463

Currently unrated

Key Information:

Vendor: Leont
Status: Crypt::argon2
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-8463?

A vulnerability in Crypt::Argon2 versions up to 0.030 allows for an out-of-bounds read when the argon2_verify function is called with empty encoded input. The function uses encoded_len - 1 as the argument for memchr without validating that the encoded length is greater than zero. If the encoded string is empty, this leads to an underflow error, causing memchr to examine adjacent heap memory. As a result, an attacker may exploit this to crash the process or expose sensitive data such as the position of a '$' byte, potentially compromising security.

Affected Version(s)

Crypt::Argon2 0.017 < 0.031

References

https://github.com/Leont/crypt-argon2/commit/92eac03ce63d...

patch

https://metacpan.org/release/LEONT/Crypt-Argon2-0.031/cha...

release-notes

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-8463 Data

JSON