CVE-2026-39856
Received Received - Intake
Out-of-Bounds Read in osslsigncode PE Page Hashing Causes Crash

Publication date: 2026-04-09

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39856
EUVD
EUVD-2026-20946
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
osslsigncode_project osslsigncode to 2.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39856 is an out-of-bounds read vulnerability in the osslsigncode tool, which is used for Authenticode signing and timestamping of PE (Portable Executable) files. The issue exists in versions 2.12 and earlier within the PE page-hash computation function (pe_page_hash_calc()).

The vulnerability occurs because the function uses PointerToRawData and SizeOfRawData values from PE section headers without validating that these values point to data within the actual file boundaries. An attacker can craft a malicious PE file with section headers that reference data beyond the end of the file.

When osslsigncode processes such a file to compute page hashes, it may read invalid memory regions, causing an out-of-bounds read that can crash the application. This can happen during signing with page hashing enabled or during verification of a malicious signed file containing page hashes.

Impact Analysis

This vulnerability can lead to a denial of service by crashing the osslsigncode process when handling crafted malicious PE files. Specifically, it causes an out-of-bounds read that may crash the application during signing or verification operations involving page hashes.

There is no confirmed impact on confidentiality or integrity, as the vulnerability does not provide a reliable memory disclosure channel. The main impact is availability, where the application becomes unavailable due to crashes.

Users running osslsigncode versions prior to 2.13 are at risk and should upgrade to mitigate this issue.

Detection Guidance

This vulnerability occurs when osslsigncode processes malicious PE files with crafted section headers that reference data beyond the file boundary, causing out-of-bounds reads and potential crashes.

Detection can involve monitoring for crashes or abnormal behavior of osslsigncode when signing or verifying PE files, especially when using the -ph (page hashing) option.

Since the vulnerability is triggered locally by processing crafted PE files, you can detect it by testing osslsigncode versions 2.12 and earlier with known malicious PE files or proof-of-concept exploits.

No specific commands are provided in the available resources, but you can attempt to sign or verify suspicious PE files using osslsigncode with the -ph flag and observe for crashes or errors.

Compliance Impact

The vulnerability in osslsigncode (CVE-2026-39856) causes an out-of-bounds read that can lead to application crashes, impacting availability. However, there is no confirmed confidentiality or integrity impact, as the vulnerability does not demonstrate a reliable memory disclosure channel.

Since the vulnerability affects availability but not confidentiality or integrity of data, its direct impact on compliance with standards like GDPR or HIPAAβ€”which primarily focus on protecting personal data confidentiality and integrityβ€”is limited.

Nevertheless, availability is a component of many security frameworks, and denial of service caused by this vulnerability could indirectly affect compliance if critical systems relying on osslsigncode are disrupted.

Mitigation Strategies

The primary mitigation step is to upgrade osslsigncode to version 2.13 or later, where this vulnerability has been fixed.

Version 2.13 includes robust input validation, bounds checking, and improved error handling to prevent out-of-bounds reads during PE page hash computation.

Until the upgrade is applied, avoid processing untrusted or suspicious PE files with osslsigncode versions 2.12 or earlier, especially when using the -ph option.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart