A critical heap-based buffer overflow in Hashcat's Kerberos hash parser enables potential arbitrary code execution when processing malicious hash input.

The vulnerability exists in the module_hash_decode function within Kerberos-related modules. It arises from a lack of upper-bound validation on the account_info_len parameter, leading to a heap-based buffer overflow when data is copied into a fixed-size buffer.

With a CVSS score of 9.8, this vulnerability carries significant risk for security teams using Hashcat for password auditing. An attacker providing a malicious Kerberos hash file could trigger a crash (DoS) or gain unauthorized code execution, compromising the security of the analysis environment.

Immediate Action: Update Hashcat to the latest version, which includes the required input validation for hash parsing.

Proactive Monitoring: Review security logs for anomalous behavior in the Hashcat process, particularly when loading Kerberos-formatted hash files.

Compensating Controls: Use strict file input controls to ensure that only trusted, validated hash files are processed by the application.

Public Exploit Available: No

Users of Hashcat must apply the vendor-supplied update immediately. By ensuring the software is updated, administrators can mitigate the risk of memory corruption vulnerabilities that could be leveraged for system exploitation.