CVE-2026-23831
ADVISORY - githubSummary
Summary
Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload.
Impact
A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.
Patches
Upgrade to v1.5.0
Workarounds
None
Common Weakness Enumeration (CWE)
NULL Pointer Dereference
NULL Pointer Dereference
NULL Pointer Dereference
NIST
3.9
CVSS SCORE
5.3mediumGitHub
3.9
CVSS SCORE
5.3mediumAlpine
-
Debian
-
Ubuntu
-
CVSS SCORE
N/AmediumGoLang
-
Red Hat
3.9
CVSS SCORE
5.3mediumChainguard
CGA-28f7-f37x-xfxj
-
minimos
MINI-299f-xvhq-vgpp
-
minimos
MINI-4885-c5jf-xj4f
-
minimos
MINI-4j5w-fcr3-8mr5
-
minimos
MINI-567h-vvvr-5h8w
-
minimos
MINI-6qw9-5vr8-r8hm
-
minimos
MINI-8746-q95f-f4mx
-
minimos
MINI-8958-pjf7-j627
-
minimos
MINI-977x-x2mx-723m
-
minimos
MINI-9pqh-jpjq-f2q6
-
minimos
MINI-9rqp-vr67-3rjg
-
minimos
MINI-fpqp-xp5m-5r2f
-
minimos
MINI-g468-8ccw-qh6c
-
minimos
MINI-g6hc-gv44-mg2w
-
minimos
MINI-gv3r-9x35-9cg2
-
minimos
MINI-jcj6-rjr9-qcwp
-
minimos
MINI-jcqm-24rp-crgc
-
minimos
MINI-jf74-3q4p-r2c6
-
minimos
MINI-mg34-4hm2-678p
-
minimos
MINI-v42g-4496-3fcq
-
minimos
MINI-v526-5957-gccm
-
minimos
MINI-xfqv-3mq2-ppv4
-