Cyber Posture

CVE-2026-39853

High

Published: 09 April 2026

Published
09 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39853 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Osslsigncode Project Osslsigncode. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
preventrecover

Directly mitigates the stack buffer overflow by requiring timely remediation through patching osslsigncode to version 2.12 or later.

SI-10 Information Input Validation good match
prevent

Prevents the buffer overflow by enforcing bounds checking and validation of input lengths, such as the oversized digest field in SpcIndirectDataContent, before copying to fixed-size stack buffers.

SI-16 Memory Protection good match
prevent

Mitigates exploitation of the stack buffer overflow through memory protection mechanisms like stack canaries, address space layout randomization, and non-executable stacks.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Stack buffer overflow in osslsigncode client tool enables arbitrary code execution via crafted malicious file processed during 'verify' command, directly mapping to exploitation of a client application vulnerability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a…

more

parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.

Deeper analysisAI

CVE-2026-39853 is a stack buffer overflow vulnerability in osslsigncode, a tool for Authenticode signing and timestamping, affecting versions prior to 2.12. The issue occurs in several signature verification paths when processing PKCS#7 signatures in PE, MSI, CAB, and script files. Specifically, during verification, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) via an unbounded memcpy without validating that the source length fits the destination, leading to potential overflow and corruption of adjacent stack state. The vulnerability is associated with CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write) and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability by crafting a malicious signed file with an oversized digest field in the SpcIndirectDataContent structure. The attacker does not require privileges (PR:N) but needs to trick a user into executing the "osslsigncode verify" command on the file (UI:R, local access required). Successful exploitation triggers the buffer overflow, potentially allowing arbitrary code execution, data corruption, or denial of service with high impacts on confidentiality, integrity, and availability.

Mitigation is available via the official patch in osslsigncode version 2.12, as detailed in the GitHub release (https://github.com/mtrojnar/osslsigncode/releases/tag/2.12), the fixing commit (https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68), and the security advisory (https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4). Security practitioners should upgrade affected systems immediately and avoid verifying untrusted files with vulnerable versions.

Details

CWE(s)
CWE-121CWE-787

Affected Products

osslsigncode project
osslsigncode
≤ 2.12

CVEs Like This One

CVE-2025-70888Same product: Osslsigncode Project Osslsigncode
CVE-2026-42482Shared CWE-121, CWE-787
CVE-2026-30929Shared CWE-121, CWE-787
CVE-2025-66048Shared CWE-121, CWE-787
CVE-2025-0840Shared CWE-121, CWE-787
CVE-2025-1594Shared CWE-121, CWE-787
CVE-2025-21042Shared CWE-787
CVE-2025-69195Shared CWE-121
CVE-2026-26269Shared CWE-121
CVE-2019-25321Shared CWE-121

References