CVE-2026-39855
Received Received - Intake
Integer Underflow in osslsigncode PE Page-Hash Causes Crash

Publication date: 2026-04-09

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize >= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39855
EUVD
EUVD-2026-20944
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
osslsigncode_project osslsigncode to 2.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39855 is an integer underflow vulnerability in the osslsigncode tool, specifically in the PE page hash calculation function (pe_page_hash_calc()). The vulnerability occurs because the code subtracts the PE header size (hdrsize) from the page size (pagesize) without first checking if pagesize is greater than or equal to hdrsize. If a malicious PE file sets hdrsize larger than pagesize, this subtraction underflows, producing a very large unsigned value.

This causes the program to allocate a buffer based on pagesize but then attempt to hash a much larger amount of data than the buffer contains, leading to an out-of-bounds read from the heap. This can crash the process during signing or verification of a malicious PE file with page hashing enabled.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) caused by an application crash during PE page-hash processing. An attacker can craft a malicious PE file that triggers the integer underflow, causing osslsigncode to crash when signing or verifying such files.

There is no confirmed impact on data confidentiality or integrity based on current evidence, so the vulnerability mainly affects availability by causing crashes.

Detection Guidance

This vulnerability occurs in osslsigncode versions prior to 2.13 during the processing of Portable Executable (PE) files with malformed headers where SizeOfHeaders is larger than SectionAlignment. Detection involves identifying usage of vulnerable osslsigncode versions and analyzing PE files for this condition.

Specifically, detection can focus on verifying the osslsigncode version installed on your system and checking PE files for abnormal SizeOfHeaders values exceeding SectionAlignment.

Suggested commands include:

  • Check osslsigncode version: `osslsigncode --version` (ensure it is 2.13 or later to be patched)
  • Manually inspect PE files using tools like `objdump` or `readpe` to compare SizeOfHeaders and SectionAlignment fields.
  • Use osslsigncode to verify or sign PE files with page hashing enabled (`-ph` option) and monitor for crashes or errors indicating the vulnerability is triggered.
Mitigation Strategies

The primary mitigation is to upgrade osslsigncode to version 2.13 or later, where the vulnerability has been fixed by adding proper validation of header bounds during PE page hash calculation.

Until the upgrade is applied, avoid processing untrusted or malicious PE files with osslsigncode, especially when using the page hashing feature (-ph option).

Additionally, monitor for application crashes during signing or verification of PE files, which may indicate exploitation attempts.

Compliance Impact

This vulnerability causes a denial of service via application crash during PE page-hash processing but has no confirmed impact on data confidentiality or integrity.

Since there is no evidence of data breach, data loss, or unauthorized data modification, the vulnerability does not directly affect compliance with standards like GDPR or HIPAA that focus on protecting personal or sensitive data.

However, the denial of service could impact availability, which is a component of some compliance frameworks, so organizations relying on osslsigncode for signing or verification might need to consider availability risks until the vulnerability is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39855. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart