Skip to content

Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small

Moderate
mliberty1 published GHSA-8f95-v3jq-cj86 Jun 1, 2026

Package

pymonocypher

Affected versions

4.0.2.6

Patched versions

4.0.2.8

Description

Impact

The argon2i_32 implementation does not check the nb_blocks size. If the caller does not provide a sufficiently large buffer based on the API contract, then argon2i_32 will write past the end of the buffer and possibly corrupt the heap.

Patches

Fixed in 4.0.2.8, which now verifies that nb_blocks is large enough. See 90ff5b1.

Workarounds

Provide a correctly sized nb_blocks buffer.

Thnank you Haris (hextheshadow) for the vulnerability report, details, and recommended fix.

Severity

Moderate

CVE ID

CVE-2026-53720

Weaknesses

No CWEs

Credits