{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70888", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-28T01:23:35.847Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T19:03:38.130Z"}, "descriptions": [{"lang": "en", "value": "An issue in mtrojnar Osslsigncode affected at v2.10 and before allows a remote attacker to escalate privileges via the osslsigncode.c component"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/ralphje/signify/issues/60"}, {"url": "https://github.com/mtrojnar/osslsigncode/issues/475"}, {"url": "https://github.com/mtrojnar/osslsigncode/pull/477"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-269", "lang": "en", "description": "CWE-269 Improper Privilege Management"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T01:21:58.634740Z", "id": "CVE-2025-70888", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:23:35.847Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-70888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-28T01:21:58.634740Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:23:30.188Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/ralphje/signify/issues/60"}, {"url": "https://github.com/mtrojnar/osslsigncode/issues/475"}, {"url": "https://github.com/mtrojnar/osslsigncode/pull/477"}], "descriptions": [{"lang": "en", "value": "An issue in mtrojnar Osslsigncode affected at v2.10 and before allows a remote attacker to escalate privileges via the osslsigncode.c component"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T19:03:38.130Z"}}}, "cveMetadata": {"cveId": "CVE-2025-70888", "state": "PUBLISHED", "dateUpdated": "2026-03-28T01:23:35.847Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osslsigncode_project:osslsigncode:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E010F4C-F0A1-4F48-85EA-E1C2F74708ED", "versionEndIncluding": "2.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in mtrojnar Osslsigncode affected at v2.10 and before allows a remote attacker to escalate privileges via the osslsigncode.c component"}, {"lang": "es", "value": "Un problema en mtrojnar Osslsigncode afectado en v2.10 y anteriores permite a un atacante remoto escalar privilegios a trav\u00e9s del componente osslsigncode.c"}], "id": "CVE-2025-70888", "lastModified": "2026-04-02T17:13:18.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T20:16:22.463", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/mtrojnar/osslsigncode/issues/475"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/mtrojnar/osslsigncode/pull/477"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/ralphje/signify/issues/60"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "osslsigncode: Osslsigncode: Remote privilege escalation", "id": "2451443", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451443"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-266", "details": ["A flaw was found in osslsigncode. A remote attacker can exploit an issue within the osslsigncode.c component to escalate privileges. This vulnerability allows an attacker to gain elevated access, potentially leading to unauthorized control over the affected system."], "name": "CVE-2025-70888", "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-70888\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-70888\nhttps://github.com/mtrojnar/osslsigncode/issues/475\nhttps://github.com/mtrojnar/osslsigncode/pull/477\nhttps://github.com/ralphje/signify/issues/60"], "statement": "This Critical flaw in osslsigncode allows a remote attacker to escalate privileges. However, Red Hat products are unaffected because they do not ship the package. Additionally, the vulnerable code is not present in the osslsigncode packages shipped with Fedora.", "threat_severity": "Critical"}