CVE-2026-39395

MEDIUM4.3EPSS 0.04%

Cosign's verify-blob-attestation reports false positive when payload parsing fails

發布日:2026/4/8修改日:2026/4/28

描述

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

受影響套件(4)

Bitnami/cosignfrom 0, < 2.6.3, >= 3.0.0, < 3.0.6
Debian/cosignfrom 0
Debian/golang-github-sigstore-cosign-v2from 0, < 2.6.3-2
Go/github.com/sigstore/cosign>= 3.0.0, < 3.0.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-39395
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-39395
PATCHhttps://github.com/sigstore/cosign
WEBhttps://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6