CERT Polska discloses a JAR parser-confusion RCE in the SzafirHost e-signature client (CVE-2026-13165)

CERT Polska disclosed CVE-2026-13165 in SzafirHost, a Java-based e-signature and trusted-timestamping client developed by Krajowa Izba Rozliczeniowa (KIR) (CERT Polska, 2026-06-29). The bug — assigned CWE-434 (Unrestricted Upload of File with Dangerous Type) — is a Java parser-confusion leading to remote code execution: SzafirHost verifies a JAR's signature with JarFile (which reads the ZIP Central Directory at the end of the archive) but extracts with JarInputStream (which walks local file headers sequentially). An attacker who can deliver a crafted JAR — for example a tampered update package or document — embeds a malicious native library between the last legitimate entry and the Central Directory; the signature walk never sees the injected entry (and archive-size validation still passes), but extraction writes the library to disk without hash verification, where it is then loaded and executed. CERT-PL is the disclosing authority and reports no in-the-wild exploitation; the fix is SzafirHost v1.2.2.

Why it matters to us: Qualified e-signature clients like SzafirHost sit in eIDAS-regulated document workflows used across EU public administration and finance, and they routinely process externally-supplied signed files — exactly the delivery path this bug needs. Inventory SzafirHost versions on signing workstations and push v1.2.2; the underlying JarFile-vs-JarInputStream confusion is a transferable hunting pattern for any Java signature-verification tooling. Detection concept: watch for unexpected native-library creation in Java temp directories during SzafirHost invocation, and JVM startup arguments referencing unexpected library paths.