Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for osslsigncode by mtrojnar
CVE-2026-39856 (GCVE-0-2026-39856)
Vulnerability from nvd – Published: 2026-04-09 16:03 – Updated: 2026-04-13 20:06
VLAI?
Title
osslsigncode has an Out-of-Bounds Read via Unvalidated Section Bounds in PE Page Hash Calculation
Summary
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
Severity ?
5.5 (Medium)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mtrojnar | osslsigncode |
Affected:
< 2.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T20:06:24.980414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T20:06:35.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osslsigncode",
"vendor": "mtrojnar",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:03:28.233Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13"
}
],
"source": {
"advisory": "GHSA-rjrx-chvw-8jw8",
"discovery": "UNKNOWN"
},
"title": "osslsigncode has an Out-of-Bounds Read via Unvalidated Section Bounds in PE Page Hash Calculation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39856",
"datePublished": "2026-04-09T16:03:28.233Z",
"dateReserved": "2026-04-07T19:13:20.378Z",
"dateUpdated": "2026-04-13T20:06:35.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39855 (GCVE-0-2026-39855)
Vulnerability from nvd – Published: 2026-04-09 15:58 – Updated: 2026-04-09 19:22
VLAI?
Title
osslsigncode has an Integer Underflow in PE Page Hash Calculation Can Cause Out-of-Bounds Read
Summary
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize >= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
Severity ?
5.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mtrojnar | osslsigncode |
Affected:
< 2.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T19:12:57.585841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T19:22:16.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osslsigncode",
"vendor": "mtrojnar",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize \u003e= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:01:51.626Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-76vv-x5rr-q3mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-76vv-x5rr-q3mr"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/commit/2a5409b7c4b6c6fad2b093531e8fea6cf08e1568",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/commit/2a5409b7c4b6c6fad2b093531e8fea6cf08e1568"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13"
}
],
"source": {
"advisory": "GHSA-76vv-x5rr-q3mr",
"discovery": "UNKNOWN"
},
"title": "osslsigncode has an Integer Underflow in PE Page Hash Calculation Can Cause Out-of-Bounds Read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39855",
"datePublished": "2026-04-09T15:58:38.559Z",
"dateReserved": "2026-04-07T19:13:20.378Z",
"dateUpdated": "2026-04-09T19:22:16.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39853 (GCVE-0-2026-39853)
Vulnerability from nvd – Published: 2026-04-09 15:50 – Updated: 2026-04-09 16:15
VLAI?
Title
osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification
Summary
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mtrojnar | osslsigncode |
Affected:
< 2.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T16:13:50.325421Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:15:19.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osslsigncode",
"vendor": "mtrojnar",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T15:50:26.548Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12"
}
],
"source": {
"advisory": "GHSA-hx87-8754-xvh4",
"discovery": "UNKNOWN"
},
"title": "osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39853",
"datePublished": "2026-04-09T15:50:26.548Z",
"dateReserved": "2026-04-07T19:13:20.378Z",
"dateUpdated": "2026-04-09T16:15:19.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39856 (GCVE-0-2026-39856)
Vulnerability from cvelistv5 – Published: 2026-04-09 16:03 – Updated: 2026-04-13 20:06
VLAI?
Title
osslsigncode has an Out-of-Bounds Read via Unvalidated Section Bounds in PE Page Hash Calculation
Summary
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
Severity ?
5.5 (Medium)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mtrojnar | osslsigncode |
Affected:
< 2.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T20:06:24.980414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T20:06:35.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osslsigncode",
"vendor": "mtrojnar",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:03:28.233Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13"
}
],
"source": {
"advisory": "GHSA-rjrx-chvw-8jw8",
"discovery": "UNKNOWN"
},
"title": "osslsigncode has an Out-of-Bounds Read via Unvalidated Section Bounds in PE Page Hash Calculation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39856",
"datePublished": "2026-04-09T16:03:28.233Z",
"dateReserved": "2026-04-07T19:13:20.378Z",
"dateUpdated": "2026-04-13T20:06:35.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39855 (GCVE-0-2026-39855)
Vulnerability from cvelistv5 – Published: 2026-04-09 15:58 – Updated: 2026-04-09 19:22
VLAI?
Title
osslsigncode has an Integer Underflow in PE Page Hash Calculation Can Cause Out-of-Bounds Read
Summary
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize >= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
Severity ?
5.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mtrojnar | osslsigncode |
Affected:
< 2.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T19:12:57.585841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T19:22:16.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osslsigncode",
"vendor": "mtrojnar",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize \u003e= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:01:51.626Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-76vv-x5rr-q3mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-76vv-x5rr-q3mr"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/commit/2a5409b7c4b6c6fad2b093531e8fea6cf08e1568",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/commit/2a5409b7c4b6c6fad2b093531e8fea6cf08e1568"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13"
}
],
"source": {
"advisory": "GHSA-76vv-x5rr-q3mr",
"discovery": "UNKNOWN"
},
"title": "osslsigncode has an Integer Underflow in PE Page Hash Calculation Can Cause Out-of-Bounds Read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39855",
"datePublished": "2026-04-09T15:58:38.559Z",
"dateReserved": "2026-04-07T19:13:20.378Z",
"dateUpdated": "2026-04-09T19:22:16.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39853 (GCVE-0-2026-39853)
Vulnerability from cvelistv5 – Published: 2026-04-09 15:50 – Updated: 2026-04-09 16:15
VLAI?
Title
osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification
Summary
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mtrojnar | osslsigncode |
Affected:
< 2.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T16:13:50.325421Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:15:19.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osslsigncode",
"vendor": "mtrojnar",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T15:50:26.548Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68"
},
{
"name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12"
}
],
"source": {
"advisory": "GHSA-hx87-8754-xvh4",
"discovery": "UNKNOWN"
},
"title": "osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39853",
"datePublished": "2026-04-09T15:50:26.548Z",
"dateReserved": "2026-04-07T19:13:20.378Z",
"dateUpdated": "2026-04-09T16:15:19.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}