CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper

CERT Polska disclosed CVE-2026-44088 on 2026-05-15 — a class-loading split-brain in SzafirHost, the browser-integration component of Poland's Szafir qualified electronic signature (QES) ecosystem operated by KIR (Krajowa Izba Rozliczeniowa), an eIDAS-recognised qualified trust service provider (CERT-PL, 2026-05-15). ENISA's EUVD entry EUVD-2026-30512 records the CVSS 4.0 base 8.6 score used in this brief's footer; CERT-PL's own write-up does not publish a numeric CVSS. SzafirHost is the helper that downloads and loads signed JAR plugins to bridge smart-card signing into Chrome, Firefox, and Opera. The bug abuses how Java parses the same archive two different ways: JarInputStream validates the JAR's code-signing certificate by reading from the start of the file, while JarFile / URLClassLoader loads actual classes from the ZIP Central Directory at the end. CERT-PL states verbatim: "It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded." An attacker who controls the JAR download path (MitM on the SzafirHost CDN/update channel, DNS interception, or a compromised mirror) can therefore execute arbitrary code inside SzafirHost — and silently sign fraudulent documents in the context of an authenticated KIR user session. Technique class: T1574.002 DLL Side-Loading equivalent for Java class-path hijack. Patched in SzafirHost 1.2.1. Why it matters to us: Szafir QES is one of the established Polish qualified signature ecosystems used in Polish public procurement, court e-filing, tax administration and healthcare e-signature workflows. Under eIDAS, qualified electronic signatures issued by a Polish QTSP enjoy cross-border legal recognition across EU member states and Switzerland's eIDAS-equivalent framework. A successful zip-polyglot attack against the SzafirHost JAR download path silently weaponises every signature produced on the compromised endpoint — an integrity-class failure that breaks the assumption baseline for eIDAS-trust documents wherever Polish QES output is consumed.