Description
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
Published: 2026-04-09
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds memory read leading to possible denial of service
Action: Apply Patch
AI Analysis

Impact

This issue occurs in the osslsigncode utility when it calculates page hashes for PE files. The routine reads from a memory region whose bounds are derived directly from the section header values, without checking that the referenced data lies within the mapped file. If an attacker provides a PE file whose section headers point past the actual end of the file, the hash computation can read beyond the file’s bounds, resulting in an out‑of‑bounds read that may crash the process. The vulnerability is a classic memory read flaw (CWE‑125) and manifests as a denial of service rather than arbitrary code execution.

Affected Systems

Products affected are the osslsigncode tool published by the mtrojnar project, specifically all releases earlier than 2.13, including version 2.12 and earlier. Version 2.13, released in the 2.13 tag, contains the fix and removes the vulnerability.

Risk and Exploitability

The CVSS score of 5.5 places the flaw in the medium range; no EPSS value is available and it is not listed in the CISA KEV catalog. The attack requires an attacker to supply a specially crafted PE file to osslsigncode, which is typically a local or privileged action. The defect is triggered when the signer enables page hashing via the -ph flag or when a verifier processes a malformed signed file that already contains page hashes. Because the flaw leads only to a crash, the vulnerability is classified as a denial‑of‑service risk with limited impact scope to the process running osslsigncode.

Generated by OpenCVE AI on April 9, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to osslsigncode version 2.13 or later to eliminate the flaw.
  • If an upgrade cannot be performed immediately, refrain from using the -ph option when signing any PE file, and avoid verifying untrusted signed files that contain page hashes.
  • Restrict usage of osslsigncode to trusted inputs and privileged users until a patch is available.
  • Monitor system logs for repeated crashes or abnormal memory access errors that may indicate exploitation attempts.

Generated by OpenCVE AI on April 9, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mtrojnar
Mtrojnar osslsigncode
Vendors & Products Mtrojnar
Mtrojnar osslsigncode

Thu, 09 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
Title osslsigncode has an Out-of-Bounds Read via Unvalidated Section Bounds in PE Page Hash Calculation
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Mtrojnar Osslsigncode
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:03:28.233Z

Reserved: 2026-04-07T19:13:20.378Z

Link: CVE-2026-39856

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T17:16:29.310

Modified: 2026-04-09T17:16:29.310

Link: CVE-2026-39856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:17Z

Weaknesses