Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
Quill Fails to Safely Parse Mach-O Binaries, Leading to Crash
GHSA-xj69-m9qq-8m94
CVE-2026-31961
Summary
Quill's code signing tool fails to properly validate Mach-O binary sizes, allowing an attacker to submit a malicious file that causes the tool to run out of memory and crash. This affects Quill versions before 0.7.1, which should be updated immediately to prevent crashes. If you're using Quill in a CI/CD pipeline or similar environment, verify that you're running the latest version.
What to do
- Update github.com anchore to version 0.7.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | anchore | <= 0.7.1 | 0.7.1 |
Original title
Quill has unbounded memory allocation via unvalidated size fields in Mach-O binary parsing
Original description
### Impact
Quill before version `v0.7.1` contains an unbounded memory allocation vulnerability when parsing Mach-O binaries. Exploitation requires that Quill processes an attacker-supplied Mach-O binary, which is most likely in environments such as CI/CD pipelines, shared signing services, or any workflow where externally-submitted binaries are accepted for signing.
When parsing a Mach-O binary, Quill reads several size and count fields from the `LC_CODE_SIGNATURE` load command and embedded code signing structures (`SuperBlob`, `BlobIndex`) and uses them to allocate memory buffers without validating that the values are reasonable or consistent with the actual file size. Affected fields include `DataSize`, `DataOffset`, and `Size` from the load command, `Count` from the `SuperBlob` header, and `Length` from individual blob headers. An attacker can craft a minimal (~4KB) malicious Mach-O binary with extremely large values in these fields, causing Quill to attempt to allocate excessive memory. This leads to memory exhaustion and denial of service, potentially crashing the host process. Both the Quill CLI and Go library are affected when used to parse untrusted Mach-O files.
### Patches
Fixed in Quill `v0.7.1`
### Workarounds
None
### Credit
Anchore would like to thank opera-aklajn (Opera) for reporting this vulnerability
### Resources
- [Inside code signing: hashes (Apple documentation)](https://developer.apple.com/documentation/technotes/tn3126-inside-code-signing-hashes)
Quill before version `v0.7.1` contains an unbounded memory allocation vulnerability when parsing Mach-O binaries. Exploitation requires that Quill processes an attacker-supplied Mach-O binary, which is most likely in environments such as CI/CD pipelines, shared signing services, or any workflow where externally-submitted binaries are accepted for signing.
When parsing a Mach-O binary, Quill reads several size and count fields from the `LC_CODE_SIGNATURE` load command and embedded code signing structures (`SuperBlob`, `BlobIndex`) and uses them to allocate memory buffers without validating that the values are reasonable or consistent with the actual file size. Affected fields include `DataSize`, `DataOffset`, and `Size` from the load command, `Count` from the `SuperBlob` header, and `Length` from individual blob headers. An attacker can craft a minimal (~4KB) malicious Mach-O binary with extremely large values in these fields, causing Quill to attempt to allocate excessive memory. This leads to memory exhaustion and denial of service, potentially crashing the host process. Both the Quill CLI and Go library are affected when used to parse untrusted Mach-O files.
### Patches
Fixed in Quill `v0.7.1`
### Workarounds
None
### Credit
Anchore would like to thank opera-aklajn (Opera) for reporting this vulnerability
### Resources
- [Inside code signing: hashes (Apple documentation)](https://developer.apple.com/documentation/technotes/tn3126-inside-code-signing-hashes)
ghsa CVSS3.1
5.5
Vulnerability type
CWE-770
Allocation of Resources Without Limits
- https://github.com/anchore/quill/security/advisories/GHSA-xj69-m9qq-8m94
- https://github.com/anchore/quill/commit/80cf3fe082678af0ec4f9f8dd93f39189d2dc1fe
- https://developer.apple.com/documentation/technotes/tn3126-inside-code-signing-h...
- https://github.com/anchore/quill/releases/tag/v0.7.1
- https://github.com/advisories/GHSA-xj69-m9qq-8m94
- https://nvd.nist.gov/vuln/detail/CVE-2026-31961
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026