Cyber Resilience

CVE-2026-9058

Critical

Published: 25 May 2026

Published
25 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-9058 is a critical-severity Return of Wrong Status Code (CWE-393) vulnerability in Cert (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Code Signing (T1553.002); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming…

more

applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
Why these techniques?

Improper certificate trust validation during digital signature verification directly enables subversion of code/document signing controls, allowing forged or untrusted signatures to be accepted for authentication bypass.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Cert
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References