CVE-2026-31961

Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains an unbounded memory allocation vulnerability when parsing Mach-O binaries. Exploitation requires that Quill processes an attacker-supplied Mach-O binary, which is most likely in environments such as CI/CD pipelines, shared signing services, or any workflow where externally-submitted binaries are accepted for signing. When parsing a Mach-O binary, Quill reads several size and count fields from the LC_CODE_SIGNATURE load command and embedded code signing structures (SuperBlob, BlobIndex) and uses them to allocate memory buffers without validating that the values are reasonable or consistent with the actual file size. Affected fields include DataSize, DataOffset, and Size from the load command, Count from the SuperBlob header, and Length from individual blob headers. An attacker can craft a minimal (~4KB) malicious Mach-O binary with extremely large values in these fields, causing Quill to attempt to allocate excessive memory. This leads to memory exhaustion and denial of service, potentially crashing the host process. Both the Quill CLI and Go library are affected when used to parse untrusted Mach-O files. This vulnerability is fixed in 0.7.1.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/anchore/quill/security/advisories/GHSA-xj69-m9qq-8m94	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:anchore:quill:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 20:16

Updated : 2026-03-16 19:06

NVD link : CVE-2026-31961

Mitre link : CVE-2026-31961

CVE.ORG link : CVE-2026-31961

JSON object : View

Products Affected

anchore

quill

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-31961", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-03-11T20:16:17.103", "references": [{"url": "https://github.com/anchore/quill/security/advisories/GHSA-xj69-m9qq-8m94", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains an unbounded memory allocation vulnerability when parsing Mach-O binaries. Exploitation requires that Quill processes an attacker-supplied Mach-O binary, which is most likely in environments such as CI/CD pipelines, shared signing services, or any workflow where externally-submitted binaries are accepted for signing. When parsing a Mach-O binary, Quill reads several size and count fields from the LC_CODE_SIGNATURE load command and embedded code signing structures (SuperBlob, BlobIndex) and uses them to allocate memory buffers without validating that the values are reasonable or consistent with the actual file size. Affected fields include DataSize, DataOffset, and Size from the load command, Count from the SuperBlob header, and Length from individual blob headers. An attacker can craft a minimal (~4KB) malicious Mach-O binary with extremely large values in these fields, causing Quill to attempt to allocate excessive memory. This leads to memory exhaustion and denial of service, potentially crashing the host process. Both the Quill CLI and Go library are affected when used to parse untrusted Mach-O files. This vulnerability is fixed in 0.7.1."}, {"lang": "es", "value": "Quill proporciona firma binaria de mac y notarizaci\u00f3n simples desde cualquier plataforma. Quill antes de la versi\u00f3n v0.7.1 contiene una vulnerabilidad de asignaci\u00f3n de memoria ilimitada al analizar binarios Mach-O. La explotaci\u00f3n requiere que Quill procese un binario Mach-O proporcionado por un atacante, lo cual es m\u00e1s probable en entornos como pipelines de CI/CD, servicios de firma compartidos o cualquier flujo de trabajo donde se acepten binarios enviados externamente para la firma. Al analizar un binario Mach-O, Quill lee varios campos de tama\u00f1o y recuento del comando de carga LC_CODE_SIGNATURE y estructuras de firma de c\u00f3digo incrustadas (SuperBlob, BlobIndex) y los usa para asignar b\u00faferes de memoria sin validar que los valores sean razonables o consistentes con el tama\u00f1o real del archivo. Los campos afectados incluyen DataSize, DataOffset y Size del comando de carga, Count del encabezado SuperBlob y Length de los encabezados de blobs individuales. Un atacante puede crear un binario Mach-O malicioso m\u00ednimo (~4KB) con valores extremadamente grandes en estos campos, lo que hace que Quill intente asignar memoria excesiva. Esto lleva al agotamiento de la memoria y a la denegaci\u00f3n de servicio, lo que podr\u00eda bloquear el proceso anfitri\u00f3n. Tanto la CLI de Quill como la biblioteca de Go se ven afectadas cuando se usan para analizar archivos Mach-O no confiables. Esta vulnerabilidad se corrige en 0.7.1."}], "lastModified": "2026-03-16T19:06:39.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:anchore:quill:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1E31EEF-FC47-43F9-8797-60E94FB1C0E5", "versionEndExcluding": "0.7.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}