CVE-2026-39855
Integer Underflow in osslsigncode PE Page-Hash Causes Crash
Publication date: 2026-04-09
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osslsigncode_project | osslsigncode | to 2.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service via application crash during PE page-hash processing but has no confirmed impact on data confidentiality or integrity.
Since there is no evidence of data breach, data loss, or unauthorized data modification, the vulnerability does not directly affect compliance with standards like GDPR or HIPAA that focus on protecting personal or sensitive data.
However, the denial of service could impact availability, which is a component of some compliance frameworks, so organizations relying on osslsigncode for signing or verification might need to consider availability risks until the vulnerability is patched.
Can you explain this vulnerability to me?
CVE-2026-39855 is an integer underflow vulnerability in the osslsigncode tool, specifically in the PE page hash calculation function (pe_page_hash_calc()). The vulnerability occurs because the code subtracts the PE header size (hdrsize) from the page size (pagesize) without first checking if pagesize is greater than or equal to hdrsize. If a malicious PE file sets hdrsize larger than pagesize, this subtraction underflows, producing a very large unsigned value.
This causes the program to allocate a buffer based on pagesize but then attempt to hash a much larger amount of data than the buffer contains, leading to an out-of-bounds read from the heap. This can crash the process during signing or verification of a malicious PE file with page hashing enabled.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) caused by an application crash during PE page-hash processing. An attacker can craft a malicious PE file that triggers the integer underflow, causing osslsigncode to crash when signing or verifying such files.
There is no confirmed impact on data confidentiality or integrity based on current evidence, so the vulnerability mainly affects availability by causing crashes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in osslsigncode versions prior to 2.13 during the processing of Portable Executable (PE) files with malformed headers where SizeOfHeaders is larger than SectionAlignment. Detection involves identifying usage of vulnerable osslsigncode versions and analyzing PE files for this condition.
Specifically, detection can focus on verifying the osslsigncode version installed on your system and checking PE files for abnormal SizeOfHeaders values exceeding SectionAlignment.
Suggested commands include:
- Check osslsigncode version: `osslsigncode --version` (ensure it is 2.13 or later to be patched)
- Manually inspect PE files using tools like `objdump` or `readpe` to compare SizeOfHeaders and SectionAlignment fields.
- Use osslsigncode to verify or sign PE files with page hashing enabled (`-ph` option) and monitor for crashes or errors indicating the vulnerability is triggered.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade osslsigncode to version 2.13 or later, where the vulnerability has been fixed by adding proper validation of header bounds during PE page hash calculation.
Until the upgrade is applied, avoid processing untrusted or malicious PE files with osslsigncode, especially when using the page hashing feature (-ph option).
Additionally, monitor for application crashes during signing or verification of PE files, which may indicate exploitation attempts.