CVE-2026-31961
CWE-770Published: March 11, 2026· Updated: Mar 16, 2026
Official Description
Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains an unbounded memory allocation vulnerability when parsing Mach-O binaries. Exploitation requires that Quill processes an attacker-supplied Mach-O binary, which is most likely in environments such as CI/CD pipelines, shared signing services, or any workflow where externally-submitted binaries are accepted for signing. When parsing a Mach-O binary, Quill reads several size and count fields from the LC_CODE_SIGNATURE load command and embedded code signing structures (SuperBlob, BlobIndex) and uses them to allocate memory buffers without validating that the values are reasonable or consistent with the actual file size. Affected fields include DataSize, DataOffset, and Size from the load command, Count from the SuperBlob header, and Length from individual blob headers. An attacker can craft a minimal (~4KB) malicious Mach-O binary with extremely large values in these fields, causing Quill to attempt to allocate excessive memory. This leads to memory exhaustion and denial of service, potentially crashing the host process. Both the Quill CLI and Go library are affected when used to parse untrusted Mach-O files. This vulnerability is fixed in 0.7.1.
Technical Analysis
CVE-2026-31961 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
Official Patches & Advisories
All References (1)
Quick Facts
Related CVEs (CWE-770)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-31961 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts