{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-8463","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-05-13T11:08:17.272Z","datePublished":"2026-05-13T12:40:35.917Z","dateUpdated":"2026-05-13T17:19:27.434Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Crypt-Argon2","product":"Crypt::Argon2","programFiles":["lib/Crypt/Argon2.xs"],"programRoutines":[{"name":"Crypt::Argon2::argon2_verify"}],"repo":"https://github.com/Leont/crypt-argon2","vendor":"LEONT","versions":[{"lessThan":"0.031","status":"affected","version":"0.017","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input.\n\nThe auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte.\n\nA caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-126","description":"CWE-126 Buffer Over-read","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-191","description":"CWE-191 Integer Underflow (Wrap or Wraparound)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-05-13T12:40:35.917Z"},"references":[{"tags":["patch"],"url":"https://github.com/Leont/crypt-argon2/commit/92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64.patch"},{"tags":["release-notes"],"url":"https://metacpan.org/release/LEONT/Crypt-Argon2-0.031/changes"}],"solutions":[{"lang":"en","value":"Upgrade to Crypt-Argon2 0.031 or later."}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2026-05-12T00:00:00.000Z","value":"Issue reported."},{"lang":"en","time":"2026-05-13T00:00:00.000Z","value":"Crypt-Argon2 0.031 released with fix."}],"title":"Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input","x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/05/13/4"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-05-13T16:53:38.661Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.3,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-05-13T17:19:23.875232Z","id":"CVE-2026-8463","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-13T17:19:27.434Z"}}]}}