Skip to main content

Suse CVE-2026-39855

| EUVDEUVD-2026-20944 MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-09 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.13
EUVD ID Assigned
Apr 09, 2026 - 16:30 euvd
EUVD-2026-20944
Analysis Generated
Apr 09, 2026 - 16:30 vuln.today
CVE Published
Apr 09, 2026 - 15:58 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize >= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.

AnalysisAI

Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.

Technical ContextAI

Osslsigncode is a command-line tool for digitally signing Windows Portable Executable (PE) files using OpenSSL, implementing Microsoft Authenticode signatures and timestamping. The vulnerability resides in the pe_page_hash_calc() function, which processes PE file headers during signature generation or verification. PE files have two critical size fields: SizeOfHeaders (hdrsize) and SectionAlignment (pagesize). The vulnerable code performs an unchecked subtraction (pagesize - hdrsize) to determine how many bytes to read from an allocated buffer. When a malicious PE file violates the PE specification by setting SizeOfHeaders larger than SectionAlignment, the unsigned integer subtraction underflows, wrapping around to a very large positive value (near 2^32 or 2^64 depending on architecture). The function then attempts to read this enormous quantity of bytes from a heap buffer allocated to only pagesize bytes, resulting in an out-of-bounds read. This is a classic integer underflow (CWE-125) leading to buffer over-read. The affected product is identified by CPE cpe:2.3:a:mtrojnar:osslsigncode:*:*:*:*:*:*:*:*, indicating all versions of the tool distributed by maintainer mtrojnar are in scope.

RemediationAI

Vendor-released patch: upgrade to osslsigncode 2.13 or later. The fix is available in the official release at https://github.com/mtrojnar/osslsigncode/releases/tag/2.13, and the upstream commit implementing the fix is available at https://github.com/mtrojnar/osslsigncode/commit/2a5409b7c4b6c6fad2b093531e8fea6cf08e1568. Users should update immediately if they use osslsigncode for PE signing or verification workflows. There are no workarounds short of upgrading, as the vulnerability is embedded in core signature processing logic. For organizations unable to upgrade immediately, avoiding verification of untrusted PE files is not a practical mitigation, as legitimate supply-chain workflows require verification; therefore, patching is the primary remediation path.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-39855 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy