Skip to main content

Suse EUVDEUVD-2026-20946

| CVE-2026-39856 MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-09 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.13
EUVD ID Assigned
Apr 09, 2026 - 16:30 euvd
EUVD-2026-20946
Analysis Generated
Apr 09, 2026 - 16:30 vuln.today
CVE Published
Apr 09, 2026 - 16:03 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.

AnalysisAI

Out-of-bounds read in osslsigncode versions 2.12 and earlier allows local attackers to crash the application via crafted PE files with malicious section headers during page-hash computation. The vulnerability exists in the pe_page_hash_calc() function, which fails to validate that section headers' PointerToRawData and SizeOfRawData values reference valid file regions. An attacker can trigger the flaw by providing a malicious PE file for signing with page hashing enabled (-ph flag) or by providing an already-signed malicious PE file for verification, where verification does not require the -ph flag. CVSS 5.5 with high availability impact; no public exploit identified at time of analysis.

Technical ContextAI

osslsigncode is a command-line tool for Authenticode signing and timestamping of Windows PE (Portable Executable) files. The vulnerability resides in the pe_page_hash_calc() function, which computes page hashes as part of the PE signing process. PE files contain section headers with PointerToRawData (file offset) and SizeOfRawData (size in file) fields. The vulnerable code reads from these offsets without validating that the specified region lies entirely within the mapped file boundaries. The root cause is CWE-125 (Out-of-bounds Read), a classic memory safety flaw where the application reads beyond allocated or mapped memory. When a section header points beyond the file end, subsequent memory access attempts read from unmapped or uninitialized memory regions, triggering a crash. The flaw affects all versions of osslsigncode up to 2.12 (cpe:2.3:a:mtrojnar:osslsigncode:*:*:*:*:*:*:*:*), which uses OpenSSL and PKCS#7 for Authenticode operations.

RemediationAI

Upgrade osslsigncode to version 2.13 or later, which includes a fix to validate section header boundaries before reading PE data (commit 92f8761b4770f76a36731969b5040ce3b9a09570 in the official repository). Users should download the patched release from https://github.com/mtrojnar/osslsigncode/releases/tag/2.13. No workaround is available for users unable to upgrade immediately; however, the risk can be partially mitigated by restricting file signing operations to trusted PE files and avoiding the processing of PE files from untrusted sources. Users should also review any CI/CD pipelines that automatically process and sign binaries to ensure they validate input files for correctness before passing them to osslsigncode. For additional details, consult the GitHub security advisory at https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-20946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy