Description
An issue in mtrojnar Osslsigncode affected at v2.10 and before allows a remote attacker to escalate privileges via the osslsigncode.c component
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is located in the osslsigncode.c component of the osslsigncode project, affecting versions 2.10 and earlier. A remote attacker can exploit the flaw to obtain elevated privileges on the host system. The weakness is identified as improper privilege management and hard‑coded credentials, allowing an attacker to bypass security controls and run code with higher authority, potentially compromising the entire system.

Affected Systems

Any installation of the osslsigncode tool released by the osslsigncode_project is affected, specifically versions 2.10 and older. The issue is platform‑agnostic and applies to all supported hosts where the vulnerable binaries are used.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score is below 1%, suggesting current exploitation is unlikely and the vulnerability is not in the CISA KEV list. The attack requires a remote attacker to invoke osslsigncode, implying that broadcast or remote usage of the tool could provide the necessary vector. Despite the low current exploitation probability, the high severity and privilege escalation capability necessitate prompt mitigation.

Generated by OpenCVE AI on April 2, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade osslsigncode to a version newer than 2.10 that contains the fix for privilege escalation.
  • If an upgrade is delayed, run the tool only with the least privileges possible and consider sandboxing it to contain potential compromise.
  • Regularly check the official project repository for new releases or advisory updates and apply them immediately.

Generated by OpenCVE AI on April 2, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Osslsigncode Project
Osslsigncode Project osslsigncode
CPEs cpe:2.3:a:osslsigncode_project:osslsigncode:*:*:*:*:*:*:*:*
Vendors & Products Osslsigncode Project
Osslsigncode Project osslsigncode

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mtrojnar
Mtrojnar osslsigncode
Vendors & Products Mtrojnar
Mtrojnar osslsigncode

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title osslsigncode: Osslsigncode: Remote privilege escalation
Weaknesses CWE-266
References
Metrics threat_severity

None

 cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Critical

Wed, 25 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description An issue in mtrojnar Osslsigncode affected at v2.10 and before allows a remote attacker to escalate privileges via the osslsigncode.c component
References

Subscriptions

Mtrojnar Osslsigncode
Osslsigncode Project Osslsigncode
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-28T01:23:35.847Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70888

cve-icon Vulnrichment

Updated: 2026-03-28T01:23:30.188Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T20:16:22.463

Modified: 2026-04-02T17:13:18.527

Link: CVE-2025-70888

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2025-70888 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:08Z

Weaknesses