Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.
AnalysisAI
Stack buffer overflow in osslsigncode <2.12 allows local attackers to execute arbitrary code during signature verification. The vulnerability affects PE, MSI, CAB, and script file verification handlers that copy digest values from SpcIndirectDataContent structures into fixed 64-byte stack buffers without length validation. Attackers craft malicious signed files with oversized digest fields triggering memcpy overflow when users verify files via osslsigncode verify command, corrupting stack state and enabling code execution with high confidentiality, integrity, and availability impact.
Technical ContextAI
Root cause is unbounded memcpy from parsed PKCS#7 SpcIndirectDataContent digest to mdbuf[EVP_MAX_MD_SIZE] stack buffer (64 bytes) across multiple verification code paths. CWE-121 stack-based buffer overflow exploits missing bounds check on source digest length prior to memory copy operation, enabling stack corruption via crafted ASN.1 structures in signature metadata.
RemediationAI
Vendor-released patch: upgrade to osslsigncode 2.12 immediately via https://github.com/mtrojnar/osslsigncode/releases/tag/2.12. The fix commit cbee1e723c5a8547302bd841ad9943ed8144db68 implements digest length validation before memcpy operations. No workarounds exist; vulnerable versions should be replaced. Users must avoid verifying untrusted signed files with versions <2.12. Organizations using osslsigncode in automated verification pipelines should audit recent verification activity for potential exploitation attempts. Complete advisory at https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4. CVSS 7.8 requires user interaction (UI:R) but no authentication (PR:N); exploitation occurs locally during verification operations.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20942