CVE-2026-39856 Overview
CVE-2026-39856 is an out-of-bounds read vulnerability affecting osslsigncode, a widely-used tool for implementing Microsoft Authenticode signing and timestamping for Portable Executable (PE) files. The vulnerability exists in version 2.12 and earlier within the PE page-hash computation code, specifically in the pe_page_hash_calc() function. When processing PE sections for page hashing, the function fails to validate that referenced memory regions specified by PointerToRawData and SizeOfRawData values in section headers actually lie within the mapped file boundaries.
Critical Impact
An attacker can craft a malicious PE file that causes osslsigncode to read from invalid memory regions during signing or verification operations, potentially crashing the process and causing denial of service.
Affected Products
- osslsigncode version 2.12 and earlier
- Systems using osslsigncode for Authenticode signing with page hashing enabled (-ph flag)
- Systems verifying signed PE files containing page hashes
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-39856 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39856
Vulnerability Analysis
This out-of-bounds read vulnerability (CWE-125) resides in the PE page hash computation logic of osslsigncode. The pe_page_hash_calc() function is responsible for generating cryptographic hashes of individual pages within PE file sections—a feature used by Windows to verify code integrity at the page level during execution.
The vulnerable code path trusts the PointerToRawData and SizeOfRawData fields directly from PE section headers without performing bounds checking against the actual size of the memory-mapped file. PE files are structured with headers containing metadata about various sections (code, data, resources), and these headers include pointers to where the raw section data resides within the file.
An attacker exploiting this vulnerability can create a PE file with intentionally crafted section headers that specify PointerToRawData values pointing beyond the legitimate end of the file. When osslsigncode attempts to compute page hashes for these sections, it dereferences these invalid pointers, causing reads from unallocated or invalid memory regions.
Root Cause
The root cause is insufficient input validation in the pe_page_hash_calc() function. The function directly uses section header values (PointerToRawData and SizeOfRawData) to calculate memory offsets for hash computation without verifying that:
- The starting offset (PointerToRawData) falls within the mapped file
- The ending offset (PointerToRawData + SizeOfRawData) does not exceed the file's boundaries
- The computed region does not wrap around due to integer overflow
This violates the security principle of validating all input from untrusted sources—in this case, the PE file being processed.
Attack Vector
The vulnerability requires local access and user interaction, as the attacker must convince a user to process a malicious PE file. Two attack vectors exist:
Signing Vector: When a user attempts to sign a maliciously crafted PE file with page hashing enabled (using the -ph flag), osslsigncode processes the file and triggers the out-of-bounds read.
Verification Vector: When verifying an already-signed malicious PE file that contains page hashes, the vulnerability can be triggered without the verifier explicitly passing the -ph flag, as page hash verification is automatically performed for files that contain them.
The attack can cause process crashes and denial of service. While the primary impact is availability (process crash), out-of-bounds read vulnerabilities can sometimes lead to information disclosure if the memory contents are exposed through error messages or other channels.
Detection Methods for CVE-2026-39856
Indicators of Compromise
- Unexpected crashes or segmentation faults in osslsigncode processes
- Core dumps generated during PE file signing or verification operations
- Error logs indicating memory access violations during page hash computation
- Presence of PE files with abnormally large or suspicious PointerToRawData and SizeOfRawData values in section headers
Detection Strategies
- Monitor for osslsigncode process crashes, particularly those occurring during -ph (page hash) operations
- Implement file integrity checks to identify PE files with malformed section headers before processing
- Deploy application crash monitoring to detect repeated failures in code signing infrastructure
- Use static analysis tools to validate PE file structure before submitting to osslsigncode
Monitoring Recommendations
- Enable crash reporting and logging for all osslsigncode operations in CI/CD pipelines and build systems
- Implement rate limiting or anomaly detection for repeated osslsigncode failures
- Monitor system logs for segmentation fault signals (SIGSEGV) associated with osslsigncode processes
- Audit PE files entering your signing infrastructure using PE structure validation tools
How to Mitigate CVE-2026-39856
Immediate Actions Required
- Upgrade osslsigncode to version 2.13 or later immediately
- Audit any PE files recently processed by vulnerable osslsigncode versions
- Implement input validation for PE files before submitting them to osslsigncode
- Review and restrict access to code signing infrastructure to trusted sources only
Patch Information
The vulnerability has been fixed in osslsigncode version 2.13. The security patch adds proper bounds checking to the pe_page_hash_calc() function, ensuring that section header values are validated against the actual file size before memory access occurs.
The fix is available through the official GitHub release, and the specific commit addressing this vulnerability can be reviewed at commit 92f8761b. Additional details are available in the GitHub Security Advisory GHSA-rjrx-chvw-8jw8.
Workarounds
- Validate PE file structure using independent tools before processing with osslsigncode
- Implement sandboxing or containerization for osslsigncode operations to limit impact of crashes
- Restrict the sources of PE files accepted for signing to trusted internal repositories
- Consider temporarily disabling page hashing (-ph flag) for signing operations until upgrade is complete, though note verification of existing page-hashed files remains vulnerable
# Upgrade osslsigncode to patched version 2.13
# For systems using package managers, check for updated packages
# For source builds:
git clone https://github.com/mtrojnar/osslsigncode.git
cd osslsigncode
git checkout 2.13
mkdir build && cd build
cmake ..
make
sudo make install
# Verify the installed version
osslsigncode --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
