216.73.217.86

CVE-2026-39395

· Published 07/04/2026 20:16 · Modified 08/04/2026 21:27

Labels: CVE-2026-39395 2026-04-07CVE-2026-39395CWE-754[email protected]

Essential information

Published
07/04/2026 20:16
Modified
08/04/2026 21:27
Author
Creator
CVSS
4.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS metrics

Description

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
sigstore / cosign cpe:2.3:a:sigstore:cosign:<3.0.6:*:*:*:*:*:*:*
sigstore / cosign cpe:2.3:a:sigstore:cosign:<2.6.3:*:*:*:*:*:*:*

References