CVE-2026-23831
MEDIUM5.3EPSS 0.02%Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message
發布日:2026/1/22修改日:2026/2/4
描述
## Summary Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty `spec.message`. `validate()` returns nil (success) when `message` is empty, leaving `sign1Msg` uninitialized, and `Canonicalize()` later dereferences `v.sign1Msg.Payload`. ## Impact A malformed proposed entry of the `cose/v0.0.1` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. ## Patches Upgrade to v1.5.0 ## Workarounds None
受影響套件(3)
- Debian/rekorfrom 0
- Go/github.com/sigstore/rekorfrom 0, < 1.5.0
- Go/github.com/sigstore/rekorfrom 0, < 1.5.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-23831
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-23831
- PATCHhttps://github.com/sigstore/rekor
- WEBhttps://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd
- WEBhttps://github.com/sigstore/rekor/releases/tag/v1.5.0
- WEBhttps://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833