CVE-2026-24122— Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-24122
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked
Source: NVD (National Vulnerability Database)
Vulnerability Description
Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
证书验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
cosign 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
cosign是美国的一个 OCI 注册表中的容器签名、验证和存储。 Cosign 3.0.4及之前版本存在信任管理问题漏洞,该漏洞源于证书验证逻辑问题,可能导致在验证时错误地将已过期的签发证书视为有效。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-24122
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-24122
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: cosign
- CVE-2026-39395
Cosign's verify-blob-attestation reports false positive when - CVE-2026-22703
Cosign verification accepts any valid Rekor entry under cert - CVE-2024-29903
Cosign vulnerable to machine-wide denial of service via mali - CVE-2024-29902
Cosign vulnerable to system-wide denial of service via malic - CVE-2023-46737
Possible endless data attack from attacker-controlled regist
Same vendor: sigstore
- CVE-2026-39984
Sigstore Timestamp Authority has Improper Certificate Valida - CVE-2026-39395
Cosign's verify-blob-attestation reports false positive when - CVE-2026-31830
sigstore-ruby verifier returns success for DSSE bundles with - CVE-2026-24408
sigstore has CSRF possibility in OIDC authentication during - CVE-2026-24137
sigstore legacy TUF client allows for arbitrary file writes
Same weakness: CWE-295
V. Comments for CVE-2026-24122
No comments yet