CVE-2026-23831

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.

Database specific

{
    "cwe_ids": [
        "CWE-476"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23831.json"
}

References

Affected packages

Git / github.com/sigstore/rekor

Affected ranges

Type: GIT
Repo: https://github.com/sigstore/rekor
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fe9717fd6ee4cfecedc30e5fd64c9872bc2ac61c

Affected versions

v0.*

v0.1.0

v0.1.1

v0.10.0

v0.11.0

v0.12.0

v0.12.1

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v0.9.1

v1.*

v1.0-rc

v1.0.0

v1.0.0-rc.1

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1

v1.3.10

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.4.1

v1.4.2

v1.4.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23831.json"