DEBIAN-CVE-2026-39855

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-39855

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-39855.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-39855

Upstream

CVE-2026-39855

Published

2026-04-09T17:16:29.140Z

Modified

2026-04-10T09:03:13.800798Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pepagehash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize >= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.

References

https://security-tracker.debian.org/tracker/CVE-2026-39855

Affected packages

Debian:11 / osslsigncode

Package

Name: osslsigncode
Purl: pkg:deb/debian/osslsigncode?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1-1

2.2-1

2.3.0-1

2.4-1

2.5-1

2.5-2

2.5-3

2.5-4~deb11u1

2.5-4

2.5-4~deb11u1+really2.9-1+deb11u2

2.8-1

2.8-2

2.9-1~bpo12+1

2.9-1

2.9-2

2.10-1

2.11-1

2.12-1

2.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-39855.json"

Debian:12 / osslsigncode

Package

Name: osslsigncode
Purl: pkg:deb/debian/osslsigncode?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.5-4

2.8-1

2.8-2

2.9-1~bpo12+1

2.9-1

2.9-2

2.10-1

2.11-1

2.12-1

2.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-39855.json"

Debian:13 / osslsigncode

Package

Name: osslsigncode
Purl: pkg:deb/debian/osslsigncode?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.9-2

2.10-1

2.11-1

2.12-1

2.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-39855.json"

Debian:14 / osslsigncode

Package

Name: osslsigncode
Purl: pkg:deb/debian/osslsigncode?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13-1

Affected versions

2.*

2.9-2

2.10-1

2.11-1

2.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-39855.json"