CVE-2026-39853

Name of the Vulnerable Software and Affected Versions osslsigncode versions prior to 2.12

Description A stack buffer overflow exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer without validating the source length. This occurs in the verification handlers for PE, MSI, CAB, and script files. A crafted malicious signed file with an oversized digest field can cause an unbounded memcpy to overflow the stack buffer and corrupt stack state.

Recommendations Update osslsigncode to version 2.12 or later.