CVE-2026-31961

Name of the Vulnerable Software and Affected Versions Quill versions prior to 0.7.1

Description Quill, a tool for Mac binary signing and notarization, has an issue where it can allocate an excessive amount of memory when processing Mach-O binaries. This occurs because the software doesn't properly validate size and count fields when parsing these files. An attacker can provide a specially crafted, small Mach-O binary with inflated size values in fields like DataSize, DataOffset, Size, Count, and Length. This causes Quill to attempt to allocate a large amount of memory, leading to memory exhaustion and a denial of service, potentially crashing the process. The Quill CLI and Go library are both affected when handling untrusted Mach-O files. The vulnerability is triggered when parsing Mach-O binaries, specifically when reading from the LC CODE SIGNATURE load command and embedded code signing structures such as SuperBlob and BlobIndex.

Recommendations Versions prior to 0.7.1 should be updated to version 0.7.1 or later.