Security Advisories (1)

CVE-2026-8463 (2026-05-13)

Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte. A caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing.

NAME

argon2-calibrate - a script to find the appropriate argon2 parameters

VERSION

version 0.024

DESCRIPTION

This program implements the following procedure, as recommended by the argon2 authors:

1. Select the type y. If you do not know the difference between them, choose Argon2id.
2. Figure out the maximum number of threads h that can be initiated by each call to Argon2. This is the parallelism argument.
3. Figure out the maximum amount of memory m that each call can a afford.
4. Figure out the maximum amount x of time (in seconds) that each call can a afford.
5. Select the salt length. 16 bytes is suffient for all applications, but can be reduced to 8 bytes in the case of space constraints.
6. Select the tag (output) size. 16 bytes is suffient for most applications, including key derivation.
7. Run the scheme of type y, memory m and h lanes and threads, using different number of passes t. Figure out the maximum t such that the running time does not exceed x. If it exceeds x even for t = 1, reduce m accordingly. If using Argon2i, t must be at least 3.
8. Hash all the passwords with the just determined values m, h, and t.

AUTHOR

Leon Timmermans <leont@cpan.org>

COPYRIGHT AND LICENSE

This is free software, licensed under:

The Apache License, Version 2.0, January 2004

To install Crypt::Argon2, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Crypt::Argon2

CPAN shell

perl -MCPAN -e shell
install Crypt::Argon2

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

VERSION

DESCRIPTION

AUTHOR

COPYRIGHT AND LICENSE

Module Install Instructions

Keyboard Shortcuts