CVE-2026-31960 (GCVE-0-2026-31960)

Vulnerability from cvelistv5 – Published: 2026-03-11 19:31 – Updated: 2026-03-12 19:58
VLAI?
Title
DoS in Quill via unbounded read of HTTP response body during notarization
Summary
Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When processing HTTP responses during notarization, Quill reads the entire response body into memory without any size limit. An attacker who can control or modify the response content can return an arbitrarily large payload, causing the Quill client to run out of memory and crash. The impact is limited to availability; there is no effect on confidentiality or integrity. Both the Quill CLI and library are affected when used to perform notarization operations. This vulnerability is fixed in 0.7.1.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
Vendor Product Version
anchore quill Affected: < 0.7.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31960",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-12T19:58:23.280187Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-12T19:58:33.103Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "quill",
          "vendor": "anchore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.7.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple\u0027s notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When processing HTTP responses during notarization, Quill reads the entire response body into memory without any size limit. An attacker who can control or modify the response content can return an arbitrarily large payload, causing the Quill client to run out of memory and crash. The impact is limited to availability; there is no effect on confidentiality or integrity. Both the Quill CLI and library are affected when used to perform notarization operations. This vulnerability is fixed in 0.7.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-11T19:31:34.867Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/anchore/quill/security/advisories/GHSA-g32c-4pvp-769g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/anchore/quill/security/advisories/GHSA-g32c-4pvp-769g"
        }
      ],
      "source": {
        "advisory": "GHSA-g32c-4pvp-769g",
        "discovery": "UNKNOWN"
      },
      "title": "DoS in Quill via unbounded read of HTTP response body during notarization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31960",
    "datePublished": "2026-03-11T19:31:34.867Z",
    "dateReserved": "2026-03-10T15:40:10.482Z",
    "dateUpdated": "2026-03-12T19:58:33.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31960\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-11T20:16:16.940\",\"lastModified\":\"2026-03-16T19:19:38.717\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple\u0027s notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When processing HTTP responses during notarization, Quill reads the entire response body into memory without any size limit. An attacker who can control or modify the response content can return an arbitrarily large payload, causing the Quill client to run out of memory and crash. The impact is limited to availability; there is no effect on confidentiality or integrity. Both the Quill CLI and library are affected when used to perform notarization operations. This vulnerability is fixed in 0.7.1.\"},{\"lang\":\"es\",\"value\":\"Quill proporciona firma binaria de mac simple y notarizaci\u00f3n desde cualquier plataforma. Quill antes de la versi\u00f3n v0.7.1 tiene lecturas ilimitadas de cuerpos de respuesta HTTP durante el proceso de notarizaci\u00f3n de Apple. La explotaci\u00f3n requiere la capacidad de modificar respuestas de API del servicio de notarizaci\u00f3n de Apple, lo cual no es posible bajo condiciones de red est\u00e1ndar debido a HTTPS con validaci\u00f3n adecuada de certificados TLS; sin embargo, entornos con proxies de intercepci\u00f3n TLS (comunes en redes corporativas), autoridades de certificaci\u00f3n comprometidas, u otras violaciones de l\u00edmites de confianza est\u00e1n en riesgo. Al procesar respuestas HTTP durante la notarizaci\u00f3n, Quill lee el cuerpo completo de la respuesta en la memoria sin ning\u00fan l\u00edmite de tama\u00f1o. Un atacante que puede controlar o modificar el contenido de la respuesta puede devolver una carga \u00fatil arbitrariamente grande, haciendo que el cliente de Quill se quede sin memoria y falle. El impacto se limita a la disponibilidad; no hay efecto en la confidencialidad o integridad. Tanto la CLI de Quill como la biblioteca se ven afectadas cuando se utilizan para realizar operaciones de notarizaci\u00f3n. Esta vulnerabilidad se corrige en 0.7.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:anchore:quill:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.7.1\",\"matchCriteriaId\":\"F1E31EEF-FC47-43F9-8797-60E94FB1C0E5\"}]}]}],\"references\":[{\"url\":\"https://github.com/anchore/quill/security/advisories/GHSA-g32c-4pvp-769g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-31960\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T19:58:23.280187Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T19:58:30.269Z\"}}], \"cna\": {\"title\": \"DoS in Quill via unbounded read of HTTP response body during notarization\", \"source\": {\"advisory\": \"GHSA-g32c-4pvp-769g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"anchore\", \"product\": \"quill\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.7.1\"}]}], \"references\": [{\"url\": \"https://github.com/anchore/quill/security/advisories/GHSA-g32c-4pvp-769g\", \"name\": \"https://github.com/anchore/quill/security/advisories/GHSA-g32c-4pvp-769g\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple\u0027s notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When processing HTTP responses during notarization, Quill reads the entire response body into memory without any size limit. An attacker who can control or modify the response content can return an arbitrarily large payload, causing the Quill client to run out of memory and crash. The impact is limited to availability; there is no effect on confidentiality or integrity. Both the Quill CLI and library are affected when used to perform notarization operations. This vulnerability is fixed in 0.7.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-11T19:31:34.867Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-31960\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T19:58:33.103Z\", \"dateReserved\": \"2026-03-10T15:40:10.482Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-11T19:31:34.867Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.