← Back

CVE-2026-39395

nvd nist
Published: Apr 7, 2026Modified: Apr 15, 2026

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

Affected (2)

Products: Sigstore: Cosign
Sigstore
1 product
Cosign
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Sigstore
Cosign
Before 2.6.3
Cosign
From 3.0.0 to 3.0.6

Related CWEs

CWE-754
Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

References (1)

Source: security-advisories@github.com
MitigationVendor Advisory

Timeline

No history available yet.