CVE-2026-56412 — Incomplete fix bypass in libexpat, found autonomously by Vorthix
Research
HIGH

GHSA-8f95-v3jq-cj86: A Proven Heap Buffer Overflow in pymonocypher

Jun 2, 2025·High severity·CWE-122·5 min read
Twitter LinkedIn
GitHub Advisory

Background

pymonocypher is a Python binding for the Monocypher cryptographic library. The argon2i_32()function performs an out-of-bounds write due to an unchecked block-index calculation. Vorthix's autonomous agent identified and confirmed the vulnerability in under 2 hours.

The Finding

The argon2i_32() function computes a block index without validating it against the allocated buffer size. Under specific input parameters, the index exceeds the allocation boundary, resulting in a heap buffer overflow on write. AddressSanitizer confirmed the write.

asan-output.txt
=================================================================
==AddressSanitizer: heap-buffer-overflow on address 0x...
WRITE of size 1024 at 0x... thread T0
    #0 0x... in argon2i_32 monocypher.c
    #1 0x... in pymonocypher wrapper
SUMMARY: AddressSanitizer: heap-buffer-overflow

Timeline

Found, reported, and patch live on PyPI — all within 15 hours on Jun 2, 2025.

DateEvent
Jun 2, 2025Vulnerability identified by Vorthix agent — under 2 hours
Jun 2, 2025Reported to maintainer via GitHub security advisory
Jun 2, 2025Maintainer confirmed and patched
Jun 2, 2025Fix live on PyPI — 15 hours after initial disclosure
“Proof in hours. Patch in hours. That's the standard.”