{"id":"CVE-2023-39969","summary":"uthenticode signature validation bypass vulnerability","details":"uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Version 1.0.9 of uthenticode hashed the entire file rather than hashing sections by virtual address, in violation of the Authenticode specification. As a result, an attacker could modify code within a binary without changing its Authenticode hash, making it appear valid from uthenticode's perspective. Versions of uthenticode prior to 1.0.9 are not vulnerable to this attack, nor are versions in the 2.x series. By design, uthenticode does not perform full-chain validation. However, the malleability of signature verification introduced in 1.0.9 was an unintended oversight. The 2.x series addresses the vulnerability. Versions prior to 1.0.9 are also not vulnerable, but users are encouraged to upgrade rather than downgrade. There are no workarounds to this vulnerability.","aliases":["GHSA-rc7g-99x7-4p9g"],"modified":"2026-04-12T02:37:06.672806Z","published":"2023-08-09T15:34:07.776Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39969.json","cwe_ids":["CWE-347"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39969.json"},{"type":"ADVISORY","url":"https://github.com/trailofbits/uthenticode/security/advisories/GHSA-rc7g-99x7-4p9g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39969"},{"type":"FIX","url":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b"},{"type":"FIX","url":"https://github.com/trailofbits/uthenticode/pull/84"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/trailofbits/uthenticode","events":[{"introduced":"0"},{"fixed":"8670b7bb9154d79c276483dcb7c9e9fd5e66455b"}]}],"versions":["v1.0.0","v1.0.0.pre.1","v1.0.0.pre.2","v1.0.0.pre.3","v1.0.0.pre.4","v1.0.0.pre.5","v1.0.0.pre.5.1","v1.0.0.pre.6","v1.0.0.pre.7","v1.0.0.pre.8","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.0.6.pre.1","v1.0.7","v1.0.8","v1.0.9"],"database_specific":{"vanir_signatures_modified":"2026-04-12T02:37:06Z","vanir_signatures":[{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"length":738,"function_hash":"52519532579298097849325176364313690990"},"signature_type":"Function","id":"CVE-2023-39969-0eedf6f1","target":{"function":"TEST_F","file":"test/uthenticode-test.cpp"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"length":3304,"function_hash":"287136748298044510105787214174865856235"},"signature_type":"Function","id":"CVE-2023-39969-247491a3","target":{"function":"main","file":"src/svcli/svcli.cpp"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["224513235038466017800601904901210567836","297058746041384752412942209383405866904","71019581105866701291106949643958033113"]},"signature_type":"Line","id":"CVE-2023-39969-2694cb96","target":{"file":"src/include/uthenticode.h"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"length":738,"function_hash":"46240545201574304308004113642633584854"},"signature_type":"Function","id":"CVE-2023-39969-3b634b47","target":{"function":"TEST_F","file":"test/uthenticode-test.cpp"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["26841265454872298612984465824079060311","176417717521727812114144389624298298629","83231992635368778569191228699596405717","75097619347979806076136499842815630777","107677686897427103167723656682872550806","280941275085927608863728433848736734136","315283021201105775895136005412391134603","61388759636340022459858489421194987848","265914872236067553284611728049390361679","75534710179622873602033842596338169438","177449488690189671879892985175676944708","141695117690061418964777859006427945285","237440299662664042845644583195217492287","16417442452955046752392771603636582333","340137862259065162509924089050379607979","255634363377179763598757694003164058788","83231992635368778569191228699596405717","298727546188414222159699224525871612714","80921186992334759466717729776769135580","285846233970093139379551901722602251650","296995300096643031785529826266136553488","13807895303118998937343416969289976621","121553936289520142974514427443599047104","12452486413312735405048644762527835499","274704625595712302128973110461847606131","59454296084380389288701928512366953830","154339568488109512957252517609002673784","74727844736009391838960348006897067722","49918031509079899154565394525110678846","156383611306702835290886147609728474768","83231992635368778569191228699596405717","298727546188414222159699224525871612714","80921186992334759466717729776769135580","285846233970093139379551901722602251650","296995300096643031785529826266136553488","13807895303118998937343416969289976621","121553936289520142974514427443599047104","12452486413312735405048644762527835499","274704625595712302128973110461847606131","59454296084380389288701928512366953830","144965204263309705699473807784113997001","300348340030234119590980432366150750928","6074263487273987214437728280536048553","280026723654071971832279830967608048804","83231992635368778569191228699596405717","253136275707729667248198737048869634078","237192560740048263686574398391048418688","155303932663834107018231010269028572243","176521139099121714800041865241392563410","101268929041815910340362724678711621550","59193833387757340240055804567483287456","151312703092508559467075292128491214627","302592796332297827307258556482113476628","145940913210600712775721279220495448555","334193143237114969389029523069860983553","255136953959162418300034328494156043723"]},"signature_type":"Line","id":"CVE-2023-39969-7ca9830c","target":{"file":"test/uthenticode-test.cpp"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"length":2122,"function_hash":"272765179330635670347885234307075202347"},"signature_type":"Function","id":"CVE-2023-39969-804201a1","target":{"function":"calculate_checksum","file":"src/uthenticode.cpp"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["139532799477733172794497460196999870794","239362477940238872308977651283263702778","250500780865551692864845635610512387104","263869041646294982700062168001093247097"]},"signature_type":"Line","id":"CVE-2023-39969-8373b4eb","target":{"file":"src/svcli/svcli.cpp"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"length":738,"function_hash":"46240545201574304308004113642633584854"},"signature_type":"Function","id":"CVE-2023-39969-a9d3fbd7","target":{"function":"TEST_F","file":"test/uthenticode-test.cpp"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"length":738,"function_hash":"243480121842989000028677669868346160518"},"signature_type":"Function","id":"CVE-2023-39969-c1919087","target":{"function":"TEST_F","file":"test/uthenticode-test.cpp"}},{"source":"https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["108925565217364905276580797068079017656","313016411121616817049584118921028031649","216482561830618217642315334888145712469","270316484766786073821352316275941528994","177652854223644796160723061066477485700","297469935570189597634748731656252389651","210591118838871763726044736876970347278","195148653456583223464498665626003600057","63421706087354519003245958865209378100","104367601856571164537276239693474483729","182608741134035822744895344412531401614","225542332087551538423566062837673900638","215008067283439446327353187428395877383","252041966048547557285266471943562267581","283810403253106918216040628177020400555","261566942661550396527789733724432588533","31692128243250309265019842884899264815","173523622423611021664233990665172668921","215999905716476895774206035777726002865","253607878748476544446881861110167432704","311847929733923854717166833303670041641","197966310068110628809103687783475816335","314670663847287428421313683155793907919","280992837438360234540561257962934966214","50259916597182444074910169769564168445","145280495144905461983680150813491827958","255217064735915501233495734150331910922","65713102320971652723747678544430047544","266211427986124781764741922917492732044","232925518079237611052342959875553426549","282056909110025040025139836388421225835","192834988780123154389077909869441816148","87933699809967163607439170254776669682","193275608465423724925979396436163016142","314020632243435068504511045762825800344"]},"signature_type":"Line","id":"CVE-2023-39969-e1b93129","target":{"file":"src/uthenticode.cpp"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39969.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}