pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small
Moderate severity
GitHub Reviewed
Published
Jun 1, 2026
in
jetperch/pymonocypher
•
Updated Jul 9, 2026
Description
Published to the GitHub Advisory Database
Jul 9, 2026
Reviewed
Jul 9, 2026
Last updated
Jul 9, 2026
Impact
The argon2i_32 implementation does not check the nb_blocks size. If the caller does not provide a sufficiently large buffer based on the API contract, then argon2i_32 will write past the end of the buffer and possibly corrupt the heap.
Patches
Fixed in 4.0.2.8, which now verifies that nb_blocks is large enough. See 90ff5b1.
Workarounds
Provide a correctly sized nb_blocks buffer.
pymonocypher thanks Haris (hextheshadow) for the vulnerability report, details, and recommended fix.
References