CVE-2026-39853
Stack Buffer Overflow in osslsigncode Signature Verification
Publication date: 2026-04-09
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osslsigncode_project | osslsigncode | to 2.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in osslsigncode prior to version 2.12 is a stack buffer overflow that can lead to arbitrary code execution or denial of service when verifying maliciously crafted signed files.
While the CVE description and resources detail the technical impact and severity of the vulnerability, there is no explicit information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
However, given that the vulnerability can compromise confidentiality, integrity, and availability of the verification process (as indicated by the CVSS impact metrics), organizations relying on osslsigncode for signature verification might face increased risk of data breaches or integrity violations, which could indirectly impact compliance with data protection regulations.
Can you explain this vulnerability to me?
CVE-2026-39853 is a stack buffer overflow vulnerability in the osslsigncode tool, which is used for Authenticode signing and timestamping. The flaw occurs during the verification of PKCS#7 signatures, where the code copies a digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer without checking if the digest length fits within the buffer. This unsafe copying can overflow the buffer and corrupt adjacent stack memory.
This vulnerability affects signature verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field that triggers this overflow when verified by osslsigncode.
The issue was fixed in osslsigncode version 2.12 by introducing a safe extraction function that validates the digest length before copying, preventing the buffer overflow.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to arbitrary code execution within the context of the user running osslsigncode or cause a denial of service by crashing the application.
Since the vulnerability is triggered by verifying a maliciously crafted signed file, an attacker could use this to execute malicious code or disrupt services on systems that use vulnerable versions of osslsigncode.
The vulnerability requires local user interaction (verifying a malicious file) but does not require special privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs during the verification of PKCS#7 signatures using the osslsigncode tool, specifically when verifying signed PE, MSI, CAB, or script files. Detection involves identifying usage of vulnerable osslsigncode versions (prior to 2.12) and monitoring for attempts to verify potentially malicious signed files.
To detect if your system is vulnerable, first check the installed osslsigncode version:
- osslsigncode --version
If the version is earlier than 2.12, your system is vulnerable. To detect exploitation attempts, monitor logs or usage of osslsigncode verify commands on untrusted signed files.
Example command to verify a signed file (which could trigger the vulnerability if the file is malicious):
- osslsigncode verify <signed_file>
There are no specific network detection commands provided in the resources, as the vulnerability is local and triggered by user interaction verifying malicious files.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade osslsigncode to version 2.12 or later, where the vulnerability has been fixed.
Until the upgrade is applied, avoid verifying untrusted or suspicious signed files using osslsigncode, as this triggers the vulnerability.
The fix involves safe extraction and validation of digest lengths during signature verification, preventing buffer overflow.
Summary of mitigation steps:
- Upgrade osslsigncode to version 2.12 or later immediately.
- Avoid verifying untrusted signed files with osslsigncode until upgraded.
- Monitor and audit usage of osslsigncode verify commands on your systems.