PatchSiren cyber security CVE debrief

CVE-2026-44088 Krajowa Izba Rozliczeniowa CVE debrief

CVE-2026-44088 describes a signature verification bypass in SzafirHost, a Polish electronic signature software. The vulnerability stems from a mismatch between how the application verifies JAR file signatures versus how it loads classes. SzafirHost uses `JarInputStream` to verify signatures, which reads from the beginning of the file, but uses `JarFile`/`URLClassLoader` to load classes, which reads the Central Directory from the end of the file. This architectural inconsistency allows an attacker to craft a polyglot file that combines a genuine, signed JAR with a malicious ZIP archive. The signature verification passes because `JarInputStream` validates the signed portion, while the malicious classes execute because `JarFile` reads from the attacker-controlled Central Directory at the file's end. This leads to remote code execution when a user opens a malicious file. The vulnerability was fixed in SzafirHost version 1.2.1. The issue was reported to CERT.PL and disclosed on May 15, 2026. The CVSS 4.0 score of 8.6 reflects high impacts to confidentiality, integrity, and availability with network attack vector and low attack complexity.

Vendor: Krajowa Izba Rozliczeniowa
Product: SzafirHost
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-15
Original CVE updated: 2026-05-19
Advisory published: 2026-05-15
Advisory updated: 2026-05-19

Who should care

Organizations using SzafirHost for electronic signature operations in Poland, security teams defending against supply chain attacks via signed JAR files, Java application developers implementing signature verification, and incident responders investigating suspicious JAR file executions

Technical summary

The vulnerability exists due to a parsing differential between two Java APIs used for JAR handling. `JarInputStream` validates signatures by reading the JAR from the beginning, checking the manifest and signature block files. However, `JarFile` and `URLClassLoader` load classes by reading the Central Directory located at the end of the ZIP/JAR file format. An attacker can exploit this by creating a file where the beginning contains a legitimate signed JAR (passing signature verification) and the end contains a malicious Central Directory pointing to attacker-controlled classes. When SzafirHost verifies the file, it sees the valid signature. When it subsequently loads the JAR for execution, the `JarFile` API reads the attacker's Central Directory and loads malicious classes, resulting in arbitrary code execution under the context of the SzafirHost application. This is a variant of the classic ZIP/JAR polyglot attack leveraging inconsistent parsing between security-critical and functional code paths.

Defensive priority

HIGH

Recommended defensive actions

Upgrade SzafirHost to version 1.2.1 or later to remediate this vulnerability
Implement application whitelisting to prevent execution of untrusted JAR files
Deploy endpoint detection and response (EDR) solutions with behavioral monitoring for Java process execution
Educate users on the risks of opening JAR files from untrusted sources
Consider network segmentation to limit impact of potential code execution
Review and validate JAR file handling in other applications using similar signature verification patterns

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The fix version 1.2.1 is explicitly stated in the CVE description. The vendor evidence points to Elektronicznypodpis.pl, a Polish electronic signature service provider. CERT.PL (Polish national CERT) is identified as the reporting source. The CVSS vector confirms network attack vector, low attack complexity, and high impacts across confidentiality, integrity, and availability. CWE-434 (Unrestricted Upload of File with Dangerous Type) is the assigned weakness, though the underlying issue is more precisely a signature verification bypass via parsing differential.

Official resources

2026-05-15T09:16:16.307Z