Description
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.
Published: 2026-04-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stack buffer overflow that occurs during verification of PKCS#7 signatures in osslsigncode. When verifying PE, MSI, CAB, or script files, the code copies a digest from SpcIndirectDataContent into a 64‑byte stack buffer without checking the source length. An attacker can create a malicious signed file containing an oversized digest. When a user runs osslsigncode verify on this file, the unbounded memcpy overflows the stack, corrupting adjacent data and potentially allowing arbitrary code to be executed or the application to crash. The weakness is a classic stack-based buffer overflow (CWE‑121) and an unvalidated memory copy (CWE‑787).

Affected Systems

Vendor mtrojnar’s osslsigncode tool is affected. Any release prior to version 2.12 is vulnerable. The fix was released in the 2.12 release and subsequent versions should contain the patch. Systems that rely on osslsigncode for signing or verifying Authenticode, PKCS#7 signatures, or timestamping are at risk when processing untrusted binary or script files.

Risk and Exploitability

The CVSS base score is 7.8, indicating high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet seen widespread exploitation. However, the attack requires an attacker to supply a crafted signed file and a user to invoke osslsigncode verify, which is a local or remote file‑based exploitation scenario. Because the stack corruption can lead to arbitrary code execution, the risk remains significant for environments that routinely verify signatures from untrusted sources.

Generated by OpenCVE AI on April 9, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to osslsigncode version 2.12 or newer.
  • If an upgrade is not immediately possible, limit the use of osslsigncode verify to files from trusted sources and isolate the verification process in a sandboxed environment.
  • Disable or replace osslsigncode for signature verification if it is not a critical component in your workflow.

Generated by OpenCVE AI on April 9, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Osslsigncode Project
Osslsigncode Project osslsigncode
CPEs cpe:2.3:a:osslsigncode_project:osslsigncode:*:*:*:*:*:*:*:*
Vendors & Products Osslsigncode Project
Osslsigncode Project osslsigncode

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mtrojnar
Mtrojnar osslsigncode
Vendors & Products Mtrojnar
Mtrojnar osslsigncode

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.
Title osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification
Weaknesses CWE-121
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Mtrojnar Osslsigncode
Osslsigncode Project Osslsigncode
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:15:19.583Z

Reserved: 2026-04-07T19:13:20.378Z

Link: CVE-2026-39853

cve-icon Vulnrichment

Updated: 2026-04-09T16:13:53.250Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T16:16:31.233

Modified: 2026-04-17T20:03:45.763

Link: CVE-2026-39853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:23Z

Weaknesses