CVE-2026-39395

EPSS 0.03%
Veröffentlicht 07.04.2026 20:06:28
Zuletzt bearbeitet 15.04.2026 15:57:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sigstore ≫ Cosign Version < 2.6.3

Sigstore ≫ Cosign Version >= 3.0.0 < 3.0.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.082

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-39395

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39395

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39395

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39395