{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39853", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.378Z", "datePublished": "2026-04-09T15:50:26.548Z", "dateUpdated": "2026-04-09T16:15:19.583Z"}, "containers": {"cna": {"title": "osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4"}, {"name": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68", "tags": ["x_refsource_MISC"], "url": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68"}, {"name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12"}], "affected": [{"vendor": "mtrojnar", "product": "osslsigncode", "versions": [{"version": "< 2.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T15:50:26.548Z"}, "descriptions": [{"lang": "en", "value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12."}], "source": {"advisory": "GHSA-hx87-8754-xvh4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T16:13:50.325421Z", "id": "CVE-2026-39853", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:15:19.583Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39853", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T16:13:50.325421Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:13:53.250Z"}}], "cna": {"title": "osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification", "source": {"advisory": "GHSA-hx87-8754-xvh4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mtrojnar", "product": "osslsigncode", "versions": [{"status": "affected", "version": "< 2.12"}]}], "references": [{"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4", "name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68", "name": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12", "name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T15:50:26.548Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39853", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:15:19.583Z", "dateReserved": "2026-04-07T19:13:20.378Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T15:50:26.548Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12."}], "id": "CVE-2026-39853", "lastModified": "2026-04-09T16:16:31.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T16:16:31.233", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68"}, {"source": "security-advisories@github.com", "url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12"}, {"source": "security-advisories@github.com", "url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.12)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "osslsigncode", "source": "cna", "vendor": "mtrojnar"}, "product": "osslsigncode", "vendor": "mtrojnar"}], "analysis": {"en": {"generated_at": "2026-04-09T17:24:52.471501+00:00", "value": {"mitigation_remediation": ["Upgrade to osslsigncode version 2.12 or newer.", "If an upgrade is not immediately possible, limit the use of osslsigncode verify to files from trusted sources and isolate the verification process in a sandboxed environment.", "Disable or replace osslsigncode for signature verification if it is not a critical component in your workflow."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vendor mtrojnar\u2019s osslsigncode tool is affected. Any release prior to version 2.12 is vulnerable. The fix was released in the 2.12 release and subsequent versions should contain the patch. Systems that rely on osslsigncode for signing or verifying Authenticode, PKCS#7 signatures, or timestamping are at risk when processing untrusted binary or script files.", "description_and_impact": "The vulnerability is a stack buffer overflow that occurs during verification of PKCS#7 signatures in osslsigncode. When verifying PE, MSI, CAB, or script files, the code copies a digest from SpcIndirectDataContent into a 64\u2011byte stack buffer without checking the source length. An attacker can create a malicious signed file containing an oversized digest. When a user runs osslsigncode verify on this file, the unbounded memcpy overflows the stack, corrupting adjacent data and potentially allowing arbitrary code to be executed or the application to crash. The weakness is a classic stack-based buffer overflow (CWE\u2011121) and an unvalidated memory copy (CWE\u2011787).", "risk_and_exploitability": "The CVSS base score is 7.8, indicating high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet seen widespread exploitation. However, the attack requires an attacker to supply a crafted signed file and a user to invoke osslsigncode verify, which is a local or remote file\u2011based exploitation scenario. Because the stack corruption can lead to arbitrary code execution, the risk remains significant for environments that routinely verify signatures from untrusted sources."}}}}, "created": "2026-04-10T08:53:11.009520+00:00", "updated": "2026-04-10T09:32:23.549454+00:00", "vendors": ["mtrojnar", "mtrojnar$PRODUCT$osslsigncode"]}