{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39853/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-39853"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["osslsigncode","buffer-overflow","authenticode","code-signing","CVE-2026-39853"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack buffer overflow vulnerability has been identified in osslsigncode, a tool used for Authenticode signing and timestamping. Specifically, versions prior to 2.12 are susceptible to CVE-2026-39853. The vulnerability occurs during the verification of PKCS#7 signatures in PE, MSI, CAB, and script files. The code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (64 bytes) without proper length validation. This allows an attacker to craft a malicious signed file containing an oversized digest field within the SpcIndirectDataContent structure. When a user attempts to verify this malicious file using a vulnerable version of osslsigncode, the resulting unbounded memcpy operation overflows the stack buffer, potentially corrupting adjacent stack state and leading to arbitrary code execution. This vulnerability has been addressed in osslsigncode version 2.12.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious signed file (PE, MSI, CAB, or script) with an oversized digest field within the SpcIndirectDataContent structure of the PKCS#7 signature.\u003c/li\u003e\n\u003cli\u003eThe malicious file is distributed to a target user or system.\u003c/li\u003e\n\u003cli\u003eThe target system uses a vulnerable version of osslsigncode (prior to 2.12) to verify the signature of the malicious file using the command \u003ccode\u003eosslsigncode verify\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the signature verification process, osslsigncode parses the SpcIndirectDataContent structure.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code attempts to copy the digest value from the parsed SpcIndirectDataContent into a fixed-size stack buffer (64 bytes) without proper length validation.\u003c/li\u003e\n\u003cli\u003eDue to the oversized digest field, the \u003ccode\u003ememcpy\u003c/code\u003e operation overflows the stack buffer.\u003c/li\u003e\n\u003cli\u003eThe stack buffer overflow corrupts adjacent stack state, potentially overwriting return addresses or other critical data.\u003c/li\u003e\n\u003cli\u003eThe corrupted stack state leads to arbitrary code execution under the context of the osslsigncode process, granting the attacker control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39853 allows an attacker to execute arbitrary code on a system running a vulnerable version of osslsigncode. This can lead to complete system compromise, data exfiltration, or further malicious activities. While the specific number of affected systems is unknown, any system using osslsigncode for signature verification prior to version 2.12 is potentially vulnerable. The impact is significant, as it can undermine the trust placed in Authenticode signatures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade osslsigncode to version 2.12 or later to patch CVE-2026-39853 and prevent stack buffer overflows.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected crashes or unusual behavior associated with osslsigncode, which could indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on digest lengths during signature verification to prevent similar vulnerabilities in other applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T16:16:31Z","date_published":"2026-04-09T16:16:31Z","id":"/briefs/2026-04-osslsigncode-overflow/","summary":"A stack buffer overflow vulnerability (CVE-2026-39853) exists in osslsigncode versions prior to 2.12 due to insufficient validation of digest length during PKCS#7 signature verification, potentially leading to arbitrary code execution.","title":"osslsigncode Stack Buffer Overflow Vulnerability (CVE-2026-39853)","url":"https://feed.craftedsignal.io/briefs/2026-04-osslsigncode-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-39853","version":"https://jsonfeed.org/version/1.1"}