Anchore's Quill, a tool for macOS binary signing and notarization, suffers from a resource exhaustion vulnerability (CVE-2026-31961) due to improper validation of size-related fields when parsing Mach-O binaries. Specifically, Quill reads size and count fields from the LC_CODE_SIGNATURE load command and embedded code signing structures such as SuperBlob and BlobIndex without verifying their reasonableness or consistency with the actual file size. Fields affected include DataSize, DataOffset, Size, Count, and Length. An attacker can craft a minimal Mach-O binary (~4KB) with these fields set to extremely large values, causing Quill to allocate excessive memory buffers. This unbounded allocation leads to memory exhaustion, resulting in denial of service by crashing the Quill process. The vulnerability affects both the Quill command-line interface and its Go library when parsing untrusted Mach-O files. Exploitation scenarios are most relevant in environments that accept externally-submitted binaries for signing, such as CI/CD pipelines or shared signing services. The vulnerability does not impact confidentiality or integrity but affects availability. The issue is resolved in Quill version 0.7.1. The CVSS v3.1 score is 5.5 (medium), reflecting local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and high availability impact. No known exploits have been reported in the wild.

The primary impact of this vulnerability is denial of service through memory exhaustion, which can crash the Quill process responsible for signing Mach-O binaries. Organizations relying on Quill in automated workflows such as CI/CD pipelines or shared signing services may experience service disruptions, delays in build or release processes, and potential operational downtime. While the vulnerability does not compromise confidentiality or integrity, the availability impact can affect development velocity and trust in automated signing workflows. In environments where multiple binaries are processed continuously, an attacker could repeatedly submit crafted Mach-O files to cause persistent denial of service. This could also lead to resource exhaustion on build servers, potentially affecting other processes. Since Quill is used for macOS binary signing, organizations developing or distributing macOS software are most at risk. The lack of known exploits reduces immediate risk, but the vulnerability’s presence in automated pipelines means attackers with access to submit binaries could leverage it to disrupt operations.

Organizations should upgrade Anchore Quill to version 0.7.1 or later, where this vulnerability is fixed. Until upgrading, implement strict validation and filtering of Mach-O binaries submitted for signing, rejecting files with suspiciously large or inconsistent size fields in the LC_CODE_SIGNATURE load command and embedded structures. Employ resource limits and monitoring on build and signing servers to detect and prevent excessive memory usage by Quill processes. Consider sandboxing or isolating the Quill process to limit the impact of crashes. In CI/CD pipelines, restrict who can submit binaries for signing and audit submissions for anomalies. Use runtime memory monitoring tools to alert on unusual memory allocation patterns during binary parsing. Additionally, review and harden the overall binary submission workflow to prevent untrusted or malformed binaries from reaching the signing stage. Maintain up-to-date vulnerability scanning and patch management practices to promptly address future issues.