{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:leont:crypt\\:\\:argon2:*:*:*:*:*:perl:*:*",
            "extracted_events": [
              {
                "introduced": "0.017"
              },
              {
                "fixed": "0.031"
              }
            ],
            "source": [
              "CPE_RANGE",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "e3d1915374f7d33589ddaf70683a09e953084e45"
            },
            {
              "fixed": "6179de940f95ce7de6e3ca3407a981b4eee9ee64"
            },
            {
              "fixed": "92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64"
            }
          ],
          "repo": "https://github.com/leont/crypt-argon2",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "CPANSec",
    "cwe_ids": [
      "CWE-126",
      "CWE-191"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8463.json"
  },
  "details": "Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input.\n\nThe auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte.\n\nA caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing.",
  "id": "CVE-2026-8463",
  "modified": "2026-07-15T01:49:10.684520009Z",
  "published": "2026-05-13T12:40:35.917Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/13/4"
    },
    {
      "type": "WEB",
      "url": "https://cpan.org/modules"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8463.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://metacpan.org/release/LEONT/Crypt-Argon2-0.031/changes"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8463"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Leont/crypt-argon2/commit/92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64.patch"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Leont/crypt-argon2"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input"
}