CVE-2026-54001
Received Received - Intake

Heap Buffer Overflow in osquery on Windows

Vulnerability report for CVE-2026-54001, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to publisher information parsing in getOriginalProgramName. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
osquery osquery to 5.23.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54001 is a high-severity vulnerability in osquery versions 5.23.0 and earlier on Windows. It involves a heap buffer out-of-bounds write triggered when a local unprivileged attacker queries the authenticode table with a maliciously crafted binary. The root cause is improper handling of publisher information parsing in the getOriginalProgramName function, which incorrectly manages memory buffers during decoding of Authenticode signatures.

This vulnerability is classified as a heap-based buffer overflow (CWE-122), where memory allocated on the heap can be overwritten due to improper bounds checking. The issue allows an attacker to corrupt adjacent heap memory by causing CryptDecodeObject to write past the end of the buffer.

The vulnerability was fixed in osquery version 5.23.1 by changing the decoding function to CryptDecodeObjectEx, which properly allocates memory and prevents buffer overflows.

Detection Guidance

This vulnerability involves a heap buffer overflow triggered by queries to the authenticode table in osquery on Windows systems. To detect potential exploitation attempts, you can monitor or audit queries targeting the authenticode table, especially those involving suspicious or maliciously crafted binaries.

Specifically, running osquery queries that access the authenticode table on Windows systems can help identify if any queries are being made that might trigger the vulnerability.

A suggested command to check for queries on the authenticode table could be:

  • SELECT * FROM authenticode WHERE original_program_name IS NULL OR original_program_name = '';

This query attempts to find entries where the original_program_name is empty, which was a symptom of the vulnerability before the fix. Monitoring for unusual authenticode queries or failures may indicate attempts to exploit the issue.

Additionally, auditing local user activity for attempts to query the authenticode table or running osquery with verbose logging could help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade osquery to version 5.23.1 or later, where this vulnerability has been fixed.

If immediate patching is not feasible, users are advised to disable queries to the authenticode table on Windows systems to prevent triggering the heap buffer overflow.

Monitoring and restricting local unprivileged user access to run queries against the authenticode table can also reduce the risk of exploitation.

Impact Analysis

If successfully exploited, this vulnerability can allow a local unprivileged user on a Windows system to escalate their privileges from a standard user to SYSTEM level, which is the highest privilege level on Windows.

This means an attacker could gain full control over the affected system, potentially allowing them to execute arbitrary code, install software, access sensitive data, or disrupt system operations.

There are no known public exploits at the time of disclosure, but the risk remains significant due to the potential impact of privilege escalation.

Users who cannot immediately upgrade to version 5.23.1 are advised to disable queries to the authenticode table on Windows to mitigate the risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54001. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart