CVE-2026-24122

Aliases:GHSA-wfqv-66vq-46rmBIT-cosign-2026-24122GO-2026-4529
Advisory lineage Upstream: 0 Downstream: 8
Analyzed
Published: 19 Feb 2026, 22:27
Last modified:20 Feb 2026, 15:41

Vulnerability Summary

Overall Risk (default)
medium
25/100
CVSS Score
3.7 LOW
v3.1 (cve.org)
EPSS Score
0.01% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

19 Feb 2026, 22:27
Published
Vulnerability first disclosed
20 Feb 2026, 15:41
Last Modified
Vulnerability information updated

Description

Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.

CVSS Metrics

  • v3.1LOWScore: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 0.01% Percentile: 1%

Techniques & Countermeasures

  • CWE-295Improper Certificate Validation

    The product does not validate, or incorrectly validates, a certificate.

Affected Systems

  • github.com/sigstorecosign

    < 3.0.5 | all

  • github.com/sigstore/cosignv2

    all

  • github.com/sigstore/cosignv3

    < 3.0.5

  • sigstorecosign

    < 3.0.5

References (5)