CVE-2026-24122

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24122

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24122.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24122

Aliases

Downstream

DEBIAN-CVE-2026-24122

UBUNTU-CVE-2026-24122

Published

2026-02-19T22:27:08.828Z

Modified

2026-03-01T02:56:48.693226Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked

Details

Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-295"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24122.json"
}

References

Affected packages

Git / github.com/sigstore/cosign

Affected ranges

Type: GIT
Repo: https://github.com/sigstore/cosign
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

479147a4df05f31be48aeb2b3a9d32dfc35ba877

Affected versions

cosigned-v0.*

cosigned-v0.0.1-dev

cosigned-v0.0.2-dev

cosigned-v0.0.3-dev

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.5.0

v0.6.0

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.10.0

v1.10.0-rc.1

v1.10.1

v1.11.0

v1.11.1

v1.12.0

v1.12.1

v1.13.0

v1.13.1

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.6.0

v1.7.0

v1.7.1

v1.7.2

v1.8.0

v1.9.0

v2.*

v2.0.0

v2.0.0-rc.0

v2.0.0-rc.1

v2.0.0-rc.2

v2.0.0-rc.3

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.3.0

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.6.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24122.json"