Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize >= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
AnalysisAI
Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.
Technical ContextAI
Osslsigncode is a command-line tool for digitally signing Windows Portable Executable (PE) files using OpenSSL, implementing Microsoft Authenticode signatures and timestamping. The vulnerability resides in the pe_page_hash_calc() function, which processes PE file headers during signature generation or verification. PE files have two critical size fields: SizeOfHeaders (hdrsize) and SectionAlignment (pagesize). The vulnerable code performs an unchecked subtraction (pagesize - hdrsize) to determine how many bytes to read from an allocated buffer. When a malicious PE file violates the PE specification by setting SizeOfHeaders larger than SectionAlignment, the unsigned integer subtraction underflows, wrapping around to a very large positive value (near 2^32 or 2^64 depending on architecture). The function then attempts to read this enormous quantity of bytes from a heap buffer allocated to only pagesize bytes, resulting in an out-of-bounds read. This is a classic integer underflow (CWE-125) leading to buffer over-read. The affected product is identified by CPE cpe:2.3:a:mtrojnar:osslsigncode:*:*:*:*:*:*:*:*, indicating all versions of the tool distributed by maintainer mtrojnar are in scope.
RemediationAI
Vendor-released patch: upgrade to osslsigncode 2.13 or later. The fix is available in the official release at https://github.com/mtrojnar/osslsigncode/releases/tag/2.13, and the upstream commit implementing the fix is available at https://github.com/mtrojnar/osslsigncode/commit/2a5409b7c4b6c6fad2b093531e8fea6cf08e1568. Users should update immediately if they use osslsigncode for PE signing or verification workflows. There are no workarounds short of upgrading, as the vulnerability is embedded in core signature processing logic. For organizations unable to upgrade immediately, avoiding verification of untrusted PE files is not a practical mitigation, as legitimate supply-chain workflows require verification; therefore, patching is the primary remediation path.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20944