{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39856", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.378Z", "datePublished": "2026-04-09T16:03:28.233Z", "dateUpdated": "2026-04-13T20:06:35.283Z"}, "containers": {"cna": {"title": "osslsigncode has an Out-of-Bounds Read via Unvalidated Section Bounds in PE Page Hash Calculation", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8"}, {"name": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570", "tags": ["x_refsource_MISC"], "url": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570"}, {"name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13"}], "affected": [{"vendor": "mtrojnar", "product": "osslsigncode", "versions": [{"version": "< 2.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:03:28.233Z"}, "descriptions": [{"lang": "en", "value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13."}], "source": {"advisory": "GHSA-rjrx-chvw-8jw8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:06:24.980414Z", "id": "CVE-2026-39856", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:06:35.283Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39856", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:06:24.980414Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:06:31.747Z"}}], "cna": {"title": "osslsigncode has an Out-of-Bounds Read via Unvalidated Section Bounds in PE Page Hash Calculation", "source": {"advisory": "GHSA-rjrx-chvw-8jw8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "mtrojnar", "product": "osslsigncode", "versions": [{"status": "affected", "version": "< 2.13"}]}], "references": [{"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8", "name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570", "name": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13", "name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:03:28.233Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39856", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:06:35.283Z", "dateReserved": "2026-04-07T19:13:20.378Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T16:03:28.233Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osslsigncode_project:osslsigncode:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F16716F-B2C3-41F9-B32B-CFD011129F12", "versionEndExcluding": "2.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13."}], "id": "CVE-2026-39856", "lastModified": "2026-04-17T19:59:36.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T17:16:29.310", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "osslsigncode", "source": "cna", "vendor": "mtrojnar"}, "product": "osslsigncode", "vendor": "mtrojnar"}], "analysis": {"en": {"generated_at": "2026-04-09T17:23:05.451115+00:00", "value": {"mitigation_remediation": ["Upgrade to osslsigncode version 2.13 or later to eliminate the flaw.", "If an upgrade cannot be performed immediately, refrain from using the -ph option when signing any PE file, and avoid verifying untrusted signed files that contain page hashes.", "Restrict usage of osslsigncode to trusted inputs and privileged users until a patch is available.", "Monitor system logs for repeated crashes or abnormal memory access errors that may indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Out-of-bounds memory read leading to possible denial of service"}, "threat_synthesis": {"affected_systems": "Products affected are the osslsigncode tool published by the mtrojnar project, specifically all releases earlier than 2.13, including version 2.12 and earlier. Version 2.13, released in the 2.13 tag, contains the fix and removes the vulnerability.", "description_and_impact": "This issue occurs in the osslsigncode utility when it calculates page hashes for PE files. The routine reads from a memory region whose bounds are derived directly from the section header values, without checking that the referenced data lies within the mapped file. If an attacker provides a PE file whose section headers point past the actual end of the file, the hash computation can read beyond the file\u2019s bounds, resulting in an out\u2011of\u2011bounds read that may crash the process. The vulnerability is a classic memory read flaw (CWE\u2011125) and manifests as a denial of service rather than arbitrary code execution.", "risk_and_exploitability": "The CVSS score of 5.5 places the flaw in the medium range; no EPSS value is available and it is not listed in the CISA KEV catalog. The attack requires an attacker to supply a specially crafted PE file to osslsigncode, which is typically a local or privileged action. The defect is triggered when the signer enables page hashing via the -ph flag or when a verifier processes a malformed signed file that already contains page hashes. Because the flaw leads only to a crash, the vulnerability is classified as a denial\u2011of\u2011service risk with limited impact scope to the process running osslsigncode."}}}}, "created": "2026-04-10T08:53:04.960553+00:00", "updated": "2026-04-10T09:32:17.683420+00:00", "vendors": ["mtrojnar", "mtrojnar$PRODUCT$osslsigncode"]}