CVE-2026-44309— gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
Possible ATT&CK Techniques 1AI
T1565.001 · Stored Data ManipulationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44309
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
Source: NVD (National Vulnerability Database)
Vulnerability Description
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees: git-core uses the first, go-git uses the second. A signature crafted over the go-git-normalized form (second tree) passes gitsign verify while git-core resolves the commit to a completely different tree. This breaks the invariant that a verified signature, the commit semantics git-core presents to users, and the object hash logged in Rekor all refer to the same content. This vulnerability is fixed in 0.16.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Gitsign 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Gitsign是Gitsign个人开发者的一个能够免密钥完成对Git提交进行签名的工具。 Gitsign 0.16.0之前版本存在信任管理问题漏洞,该漏洞源于gitsign verify和gitsign verify-tag在检查签名前通过go-git的EncodeWithoutSignature重新编码提交/标签对象,而非验证原始git对象字节,对于具有重复树标头的畸形对象,git-core和go-git解析不同树,导致签名绕过验证而git-core解析为完全不同树,破坏验证签名、git-core呈现的
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44309
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44309
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-44309 (1)
IV. Related Vulnerabilities
Same vendor: sigstore
- CVE-2026-44310
gitsign --verify panics on empty-certificate PKCS7 and exits - CVE-2026-39984
Sigstore Timestamp Authority has Improper Certificate Valida - CVE-2026-39395
Cosign's verify-blob-attestation reports false positive when - CVE-2026-31830
sigstore-ruby verifier returns success for DSSE bundles with - CVE-2026-24122
Cosign Certificate Chain Expiry Validation Issue Allows Issu
Same weakness: CWE-347
- CVE-2025-41669
Insufficient Verification of Data Authenticity - CVE-2026-45575
epa4all-client: Improper Verification of Cryptographic Signa - CVE-2026-44714
bitcoinj: ScriptExecution P2PKH/P2WPKH Verification Bypass - CVE-2024-36334
AMD Graphics Driver 数据伪造问题漏洞 - CVE-2026-0265
PAN-OS: Authentication Bypass with Cloud Authentication Serv
V. Comments for CVE-2026-44309
No comments yet