Vulnerability-Lookup

RHSA-2026:24482

Vulnerability from csaf_redhat - Published: 2026-06-08 13:11 - Updated: 2026-06-20 13:51

Summary

Red Hat Security Advisory: RHTAS 1.3.5 - Red Hat Trusted Artifact Signer Release

Severity

Important

Notes

Topic: The 1.3.5 release of Red Hat Trusted Artifact Signer OpenShift Operator. For more details please visit the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3

Details: The RHTAS Operator can be used with OpenShift Container Platform 4.16, 4.17, 4.18, 4.19, 4.20 and 4.21

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-32281

A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1050 - Excessive Platform Resource Consumption within a Loop

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64		—	Vendor Fix fix Workaround

Known not affected 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64	—	Workaround

Threats

Impact Moderate

CVE-2026-32282

A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64		—	Vendor Fix fix Workaround

Known not affected 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64	—	Workaround

Threats

Impact Moderate

CVE-2026-33815

A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability.

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-787 - Out-of-bounds Write

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64		—	Vendor Fix fix Workaround

Known not affected 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64	—	Workaround

Threats

Impact Important

CVE-2026-33816

A flaw was found in github.com/jackc/pgx, a PostgreSQL driver for Go. This memory-safety vulnerability could allow an attacker to cause various impacts, such as denial of service (DoS) or potentially arbitrary code execution, by exploiting memory corruption issues. The exact method of exploitation and specific consequences would depend on the nature of the memory corruption.

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-787 - Out-of-bounds Write

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64		—	Vendor Fix fix Workaround

Known not affected 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64	—	Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64	—	Workaround

Threats

Impact Important

CVE-2026-34986

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-131 - Incorrect Calculation of Buffer Size

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64	—	Vendor Fix fix Workaround

Known not affected 1 product

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64		—	Workaround

Threats

Impact Important

References

41 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:24482	self
https://access.redhat.com/documentation/en-us/red…	external
https://access.redhat.com/documentation/en-us/red…	external
https://access.redhat.com/security/cve/CVE-2026-32281	external
https://access.redhat.com/security/cve/CVE-2026-32282	external
https://access.redhat.com/security/cve/CVE-2026-33815	external
https://access.redhat.com/security/cve/CVE-2026-33816	external
https://access.redhat.com/security/cve/CVE-2026-34986	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-32281	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456333	external
https://www.cve.org/CVERecord?id=CVE-2026-32281	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32281	external
https://go.dev/cl/758061	external
https://go.dev/issue/78281	external
https://groups.google.com/g/golang-announce/c/0uY…	external
https://pkg.go.dev/vuln/GO-2026-4946	external
https://access.redhat.com/security/cve/CVE-2026-32282	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456336	external
https://www.cve.org/CVERecord?id=CVE-2026-32282	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32282	external
https://go.dev/cl/763761	external
https://go.dev/issue/78293	external
https://pkg.go.dev/vuln/GO-2026-4864	external
https://access.redhat.com/security/cve/CVE-2026-33815	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455975	external
https://www.cve.org/CVERecord?id=CVE-2026-33815	external
https://nvd.nist.gov/vuln/detail/CVE-2026-33815	external
https://pkg.go.dev/vuln/GO-2026-4771	external
https://access.redhat.com/security/cve/CVE-2026-33816	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455972	external
https://www.cve.org/CVERecord?id=CVE-2026-33816	external
https://nvd.nist.gov/vuln/detail/CVE-2026-33816	external
https://pkg.go.dev/vuln/GO-2026-4772	external
https://access.redhat.com/security/cve/CVE-2026-34986	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455470	external
https://www.cve.org/CVERecord?id=CVE-2026-34986	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34986	external
https://github.com/go-jose/go-jose/security/advis…	external
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The 1.3.5 release of Red Hat Trusted Artifact Signer OpenShift Operator.\nFor more details please visit the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The RHTAS Operator can be used with OpenShift Container Platform 4.16, 4.17, 4.18, 4.19, 4.20 and 4.21",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:24482",
        "url": "https://access.redhat.com/errata/RHSA-2026:24482"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32281"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32282",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33815",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33815"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33816",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33816"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_24482.json"
      }
    ],
    "title": "Red Hat Security Advisory: RHTAS 1.3.5 - Red Hat Trusted Artifact Signer Release",
    "tracking": {
      "current_release_date": "2026-06-20T13:51:28+00:00",
      "generator": {
        "date": "2026-06-20T13:51:28+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:24482",
      "initial_release_date": "2026-06-08T13:11:51+00:00",
      "revision_history": [
        {
          "date": "2026-06-08T13:11:51+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-08T13:11:59+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-20T13:51:28+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Trusted Artifact Signer 1.3",
                "product": {
                  "name": "Red Hat Trusted Artifact Signer 1.3",
                  "product_id": "Red Hat Trusted Artifact Signer 1.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Trusted Artifact Signer"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
                "product": {
                  "name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
                  "product_id": "registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cosign-rhel9@sha256%3Ace13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/cosign-rhel9\u0026tag=1780049582"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
                "product": {
                  "name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
                  "product_id": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/fetch-tsa-certs-rhel9@sha256%3A3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/fetch-tsa-certs-rhel9\u0026tag=1780051354"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
                "product": {
                  "name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
                  "product_id": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitsign-rhel9@sha256%3A19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/gitsign-rhel9\u0026tag=1780052587"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
                "product": {
                  "name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
                  "product_id": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rekor-cli-rhel9@sha256%3A82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/rekor-cli-rhel9\u0026tag=1780049214"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64",
                "product": {
                  "name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64",
                  "product_id": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/updatetree-rhel9@sha256%3A806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/updatetree-rhel9\u0026tag=1780053572"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64 as a component of Red Hat Trusted Artifact Signer 1.3",
          "product_id": "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64"
        },
        "product_reference": "registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
        "relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64 as a component of Red Hat Trusted Artifact Signer 1.3",
          "product_id": "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64"
        },
        "product_reference": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
        "relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64 as a component of Red Hat Trusted Artifact Signer 1.3",
          "product_id": "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64"
        },
        "product_reference": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
        "relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64 as a component of Red Hat Trusted Artifact Signer 1.3",
          "product_id": "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64"
        },
        "product_reference": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
        "relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64 as a component of Red Hat Trusted Artifact Signer 1.3",
          "product_id": "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
        },
        "product_reference": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64",
        "relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32281",
      "cwe": {
        "id": "CWE-1050",
        "name": "Excessive Platform Resource Consumption within a Loop"
      },
      "discovery_date": "2026-04-08T02:01:00.930989+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456333"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64"
        ],
        "known_not_affected": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456333",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/758061",
          "url": "https://go.dev/cl/758061"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78281",
          "url": "https://go.dev/issue/78281"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4946",
          "url": "https://pkg.go.dev/vuln/GO-2026-4946"
        }
      ],
      "release_date": "2026-04-08T01:06:58.354000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-08T13:11:51+00:00",
          "details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:24482"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
    },
    {
      "cve": "CVE-2026-32282",
      "cwe": {
        "id": "CWE-367",
        "name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
      },
      "discovery_date": "2026-04-08T02:01:12.683211+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456336"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64"
        ],
        "known_not_affected": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456336",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/763761",
          "url": "https://go.dev/cl/763761"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78293",
          "url": "https://go.dev/issue/78293"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4864",
          "url": "https://pkg.go.dev/vuln/GO-2026-4864"
        }
      ],
      "release_date": "2026-04-08T01:06:55.953000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-08T13:11:51+00:00",
          "details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:24482"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
    },
    {
      "cve": "CVE-2026-33815",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2026-04-07T16:01:25.130006+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455975"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
        ],
        "known_not_affected": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33815"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455975",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455975"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33815",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33815"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33815",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33815"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4771",
          "url": "https://pkg.go.dev/vuln/GO-2026-4771"
        }
      ],
      "release_date": "2026-04-07T15:19:24.344000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-08T13:11:51+00:00",
          "details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:24482"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability"
    },
    {
      "cve": "CVE-2026-33816",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2026-04-07T16:01:14.142946+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455972"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in github.com/jackc/pgx, a PostgreSQL driver for Go. This memory-safety vulnerability could allow an attacker to cause various impacts, such as denial of service (DoS) or potentially arbitrary code execution, by exploiting memory corruption issues. The exact method of exploitation and specific consequences would depend on the nature of the memory corruption.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
        ],
        "known_not_affected": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33816"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455972",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455972"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33816",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33816"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33816",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33816"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4772",
          "url": "https://pkg.go.dev/vuln/GO-2026-4772"
        }
      ],
      "release_date": "2026-04-07T15:19:24.529000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-08T13:11:51+00:00",
          "details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:24482"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability"
    },
    {
      "cve": "CVE-2026-34986",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2026-04-06T17:01:34.639203+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
        ],
        "known_not_affected": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "release_date": "2026-04-06T16:22:45.353000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-08T13:11:51+00:00",
          "details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:24482"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/cosign-rhel9@sha256:ce13481894c8221aac0eb0558a940038ef490433339199d07687fb19521dae67_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:3941ce6dadc616e3144b62f047e595fa4d14f5d6dd2b6a5ac72daea079d48e48_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/gitsign-rhel9@sha256:19bdf80850dd534dd73be69c97dc1c3dfc58871c11bef5b5f44e6e37c4c84c93_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:82d86b76b9557e4018e9eefcb6ee9731437f76ae1aac60d1b73849a1a82d157a_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/updatetree-rhel9@sha256:806a999984c47cf2fef698c91f9f208a59452f04c13326bbd1261cb471343daf_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
    }
  ]
}

CVE-2026-32281 (GCVE-0-2026-32281)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:19

Title

Inefficient policy validation in crypto/x509

Summary

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758061
https://go.dev/issue/78281
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4946

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:52:37.734298Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:19:44.779Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "policiesValid"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.354Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758061"
        },
        {
          "url": "https://go.dev/issue/78281"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4946"
        }
      ],
      "title": "Inefficient policy validation in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32281",
    "datePublished": "2026-04-08T01:06:58.354Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:19:44.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32282 (GCVE-0-2026-32282)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Summary

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Severity

6.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763761
https://go.dev/issue/78293
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4864

Impacted products

1 product

Vendor	Product	Version
Go standard library	internal/syscall/unix	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Uuganbayar Lkhamsuren (https://github.com/uug4na)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32282",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:47:42.666766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:56.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "internal/syscall/unix",
          "platforms": [
            "linux"
          ],
          "product": "internal/syscall/unix",
          "programRoutines": [
            {
              "name": "Fchmodat"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Uuganbayar Lkhamsuren (https://github.com/uug4na)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:55.953Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763761"
        },
        {
          "url": "https://go.dev/issue/78293"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4864"
        }
      ],
      "title": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32282",
    "datePublished": "2026-04-08T01:06:55.953Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:20:56.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33815 (GCVE-0-2026-33815)

Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-05-14 16:04

Title

CVE-2026-33815 in github.com/jackc/pgx

Summary

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-129 — Improper Validation of Array Index

Assigner

References

1 reference

URL	Tags
https://pkg.go.dev/vuln/GO-2026-4771

Impacted products

1 product

Vendor	Product	Version
github.com/jackc/pgx/v5	github.com/jackc/pgx/v5/pgproto3	Affected: 0 , < 5.9.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33815",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T14:21:42.714758Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T16:04:02.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "github.com/jackc/pgx/v5/pgproto3",
          "product": "github.com/jackc/pgx/v5/pgproto3",
          "programRoutines": [
            {
              "name": "Bind.Decode"
            },
            {
              "name": "Backend.Receive"
            }
          ],
          "vendor": "github.com/jackc/pgx/v5",
          "versions": [
            {
              "lessThan": "5.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-129 \u2014 Improper Validation of Array Index",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T18:30:29.157Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4771"
        }
      ],
      "title": "CVE-2026-33815 in github.com/jackc/pgx"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33815",
    "datePublished": "2026-04-07T15:19:24.344Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-14T16:04:02.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33816 (GCVE-0-2026-33816)

Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-05-14 16:04

Title

CVE-2026-33816 in github.com/jackc/pgx

Summary

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-697 — Incorrect Comparison

Assigner

References

1 reference

URL	Tags
https://pkg.go.dev/vuln/GO-2026-4772

Impacted products

1 product

Vendor	Product	Version
github.com/jackc/pgx/v5	github.com/jackc/pgx/v5/pgproto3	Affected: 0 , < 5.9.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33816",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T14:24:50.570972Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T16:04:30.991Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "github.com/jackc/pgx/v5/pgproto3",
          "product": "github.com/jackc/pgx/v5/pgproto3",
          "programRoutines": [
            {
              "name": "FunctionCall.Decode"
            },
            {
              "name": "Backend.Receive"
            }
          ],
          "vendor": "github.com/jackc/pgx/v5",
          "versions": [
            {
              "lessThan": "5.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-697 \u2014 Incorrect Comparison",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T15:49:13.116Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4772"
        }
      ],
      "title": "CVE-2026-33816 in github.com/jackc/pgx"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33816",
    "datePublished": "2026-04-07T15:19:24.529Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-14T16:04:30.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34986 (GCVE-0-2026-34986)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:22 – Updated: 2026-04-07 14:21

Title

Go JOSE affect by a panic in JWE decryption

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/go-jose/go-jose/security/advis…	x_refsource_CONFIRM
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-jose	go-jose	Affected: >= 4.0.0, < 4.1.4 Affected: < 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:21:42.477191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:21:54.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.4"
            },
            {
              "status": "affected",
              "version": "\u003c 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:22:45.353Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "name": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "source": {
        "advisory": "GHSA-78h2-9frx-2jm8",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE affect by a panic in JWE decryption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34986",
    "datePublished": "2026-04-06T16:22:45.353Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-07T14:21:54.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:24482

CVE-2026-32281 (GCVE-0-2026-32281)

CVE-2026-32282 (GCVE-0-2026-32282)

CVE-2026-33815 (GCVE-0-2026-33815)

CVE-2026-33816 (GCVE-0-2026-33816)

CVE-2026-34986 (GCVE-0-2026-34986)

Tags

Sightings

Nomenclature