Platform
go
Component
github.com/sigstore/cosign
Fixed in
3.0.6
3.0.5
CVE-2026-24122 is a security vulnerability affecting Cosign, a tool for signing and verifying container images and other artifacts. This flaw allows Cosign to consider signatures valid even when they are signed with expired intermediate certificates, particularly when transparency log verification is bypassed. The vulnerability impacts versions of Cosign prior to 3.0.5 and could allow attackers to distribute and install malicious software.
The core impact of CVE-2026-24122 lies in the potential for unauthorized software installation. An attacker could sign a malicious artifact with a certificate chain that includes an expired intermediate certificate. If transparency log verification is disabled or bypassed, Cosign will incorrectly validate the signature as legitimate, allowing the attacker to distribute and install the malicious artifact. This could lead to a compromise of systems relying on Cosign for verification, potentially enabling attackers to gain control over container deployments or other critical infrastructure. The blast radius depends on the scope of Cosign's usage within an organization; widespread adoption increases the potential impact.
CVE-2026-24122 was publicly disclosed on 2026-02-23. The CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public proof-of-concept (POC) code has been released as of this writing. It is not currently listed on the CISA KEV catalog. Given the need for bypassing transparency log verification, exploitation may require specific configuration or insider access.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24122 is to upgrade Cosign to version 3.0.5 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, ensure that transparency log verification is enabled and properly configured within your Cosign workflows. Disabling transparency log verification should be avoided unless absolutely necessary and with a thorough understanding of the security implications. Consider implementing stricter certificate chain validation policies within your signing and verification processes to further reduce the risk. After upgrade, confirm by verifying signatures with known good artifacts and examining Cosign logs for any validation errors.
Update Cosign to version 3.0.5 or higher. This version corrects the incorrect certificate chain validation, ensuring that issuing certificates are not expired before the leaf certificate.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24122 is a vulnerability in Cosign that allows signatures with expired intermediate certificates to be considered valid if transparency log verification is skipped, potentially enabling unauthorized software installation.
You are affected if you are using Cosign versions prior to 3.0.5 and have not ensured that transparency log verification is enabled and properly configured.
Upgrade Cosign to version 3.0.5 or later. Ensure transparency log verification is enabled and properly configured if upgrading is not immediately possible.
As of now, there is no evidence of active exploitation of CVE-2026-24122, and no public proof-of-concept code is available.
Refer to the official Cosign project repository and security announcements for the latest information and advisory regarding CVE-2026-24122.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.