CVE-2023-40012
CVE-2023-40012 is a medium-severity vulnerability in Trailofbits Uthenticode with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-325.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 0% (10th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-325
- Affected product: Trailofbits Uthenticode
- Published:
- Last modified:
Description
uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.
Frequently asked questions
- What is CVE-2023-40012?
- uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.
- How severe is CVE-2023-40012?
- CVE-2023-40012 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2023-40012 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (10th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-40012?
- CVE-2023-40012 affects Trailofbits Uthenticode. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-40012?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-40012 published?
- CVE-2023-40012 was published on 2023-08-09 and last updated on 2026-06-17.
References
- https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb9420644b6db53
- https://github.com/trailofbits/uthenticode/pull/78
- https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj
Affected products (1)
- cpe:2.3:a:trailofbits:uthenticode:*:*:*:*:*:*:*:*
More vulnerabilities in Trailofbits Uthenticode
- CVE-2023-39969 — Critical (CVSS 9.0): uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Version 1.0.9 of…
All CVEs affecting Trailofbits Uthenticode →
Other CWE-325 vulnerabilities
- CVE-2026-4601 — High (CVSS 8.7): Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the…
- CVE-2025-30147 — High (CVSS 8.7): Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum…
- CVE-2026-45445 — High (CVSS 7.5): Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the…
- CVE-2026-41395 — High (CVSS 7.5): OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes…
- CVE-2026-22863 — High (CVSS 7.5): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The…
- CVE-2025-60704 — High (CVSS 7.5): Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network.