CVE-2026-39853

EUVD-2026-20942
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer  (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
osslsigncode_projectosslsigncode
𝑥
< 2.12
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
osslsigncode
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
2.13-1
fixed
sid
2.13-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68
https://github.com/mtrojnar/osslsigncode/releases/tag/2.12
https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4