Is Stack Overflow affected by CVE-2026-39853?

osslsigncode versions prior to 2.12 contain a stack buffer overflow vulnerability in file signature verification that allows local attackers to execute arbitrary code when users verify PE, MSI, CAB, or script files.

CVE-2026-39853

Q: How to fix CVE-2026-39853?

Within 24 hours: Identify all systems running osslsigncode and document current installed versions using package managers or vendor tools. Within 7 days: Contact osslsigncode maintainers to confirm patch timeline and interim guidance; restrict file verification operations to trusted sources only. Within 30 days: Apply vendor-released patch to version 2.12 or later across all affected systems; validate patch deployment and resume normal verification workflows.

EUVD-2026-20942 HIGH

2026-04-09 GitHub_M

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 09, 2026 - 16:00 vuln.today

EUVD ID Assigned

Apr 09, 2026 - 16:00 euvd

EUVD-2026-20942

CVE Published

Apr 09, 2026 - 15:50 nvd

HIGH 7.8

Description

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.

Analysis

Stack buffer overflow in osslsigncode <2.12 allows local attackers to execute arbitrary code during signature verification. The vulnerability affects PE, MSI, CAB, and script file verification handlers that copy digest values from SpcIndirectDataContent structures into fixed 64-byte stack buffers without length validation. …

Remediation

Within 24 hours: Identify all systems running osslsigncode and document current installed versions using package managers or vendor tools. Within 7 days: Contact osslsigncode maintainers to confirm patch timeline and interim guidance; restrict file verification operations to trusted sources only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

CVE-2026-39853 vulnerability details – vuln.today

Back

CVE-2026-39853

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-39853

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code