Plattform
go
Komponente
github.com/sigstore/cosign
Behoben in
3.0.6
3.0.5
CVE-2026-24122 is a security vulnerability affecting Cosign, a tool for signing and verifying container images and other artifacts. This flaw allows Cosign to consider signatures valid even when they are signed with expired intermediate certificates, particularly when transparency log verification is bypassed. The vulnerability impacts versions of Cosign prior to 3.0.5 and could allow attackers to distribute and install malicious software.
The core impact of CVE-2026-24122 lies in the potential for unauthorized software installation. An attacker could sign a malicious artifact with a certificate chain that includes an expired intermediate certificate. If transparency log verification is disabled or bypassed, Cosign will incorrectly validate the signature as legitimate, allowing the attacker to distribute and install the malicious artifact. This could lead to a compromise of systems relying on Cosign for verification, potentially enabling attackers to gain control over container deployments or other critical infrastructure. The blast radius depends on the scope of Cosign's usage within an organization; widespread adoption increases the potential impact.
CVE-2026-24122 was publicly disclosed on 2026-02-23. The CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public proof-of-concept (POC) code has been released as of this writing. It is not currently listed on the CISA KEV catalog. Given the need for bypassing transparency log verification, exploitation may require specific configuration or insider access.
Organizations heavily reliant on Cosign for container image signing and verification are at risk. This includes DevOps teams, CI/CD pipelines, and any environment where Cosign is used to ensure the integrity of software artifacts. Specifically, those with custom Cosign configurations or those who have disabled transparency log verification are at higher risk.
• go / binary: Examine Cosign binaries for signs of tampering or modification. Use go build to rebuild from source and verify checksums.
• generic web: Monitor Cosign API endpoints for unusual signature validation requests or errors. Check access logs for patterns indicative of attempted signature manipulation.
• generic web: Inspect Cosign configuration files for disabled transparency log verification. Look for unusual certificate paths or settings.
• generic web: Review system logs for Cosign-related errors or warnings, particularly those related to certificate validation.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24122 is to upgrade Cosign to version 3.0.5 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, ensure that transparency log verification is enabled and properly configured within your Cosign workflows. Disabling transparency log verification should be avoided unless absolutely necessary and with a thorough understanding of the security implications. Consider implementing stricter certificate chain validation policies within your signing and verification processes to further reduce the risk. After upgrade, confirm by verifying signatures with known good artifacts and examining Cosign logs for any validation errors.
Actualice Cosign a la versión 3.0.5 o superior. Esta versión corrige la validación incorrecta de la cadena de certificados, asegurando que los certificados emisores no estén expirados antes del certificado hoja.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24122 is a vulnerability in Cosign that allows signatures with expired intermediate certificates to be considered valid if transparency log verification is skipped, potentially enabling unauthorized software installation.
You are affected if you are using Cosign versions prior to 3.0.5 and have not ensured that transparency log verification is enabled and properly configured.
Upgrade Cosign to version 3.0.5 or later. Ensure transparency log verification is enabled and properly configured if upgrading is not immediately possible.
As of now, there is no evidence of active exploitation of CVE-2026-24122, and no public proof-of-concept code is available.
Refer to the official Cosign project repository and security announcements for the latest information and advisory regarding CVE-2026-24122.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.