Lucene search
K

596 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-326 dcap-qvl has Missing Verification for QE Identity

Impact This vulnerability involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral including qeidentity, qeidentitysignature, and qeidentityissuerchain from the PCCS. However, it skips to verify the QE Identity signature...

9.3CVSS5.9AI score0.00208EPSS
Exploits0References5
OSV
OSV
added 2026/06/25 10:34 p.m.6 views

GO-2026-5694 Cosign's verify-blob-attestation reports false positive when payload parsing fails in github.com/sigstore/cosign

Cosign's verify-blob-attestation reports false positive when payload parsing fails in github.com/sigstore/cosign...

5.3CVSS5.8AI score0.00241EPSS
Exploits0References2
OSV
OSV
added 2026/06/25 6:43 p.m.9 views

GO-2026-5298 Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() in github.com/google/go-attestation

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList in github.com/google/go-attestation...

8.9CVSS5.8AI score0.00191EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 12:5 p.m.3 views

RLSA-2026:28582 Moderate: keylime security update

Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. Security Fixes: keylime: Keylime: Security bypass due to hardcoded TPM quote nonce CVE-2026-6420 For more details about the security issues, including the impact, a CVSS score,...

6.3CVSS5.9AI score0.00121EPSS
Exploits0References2
Rockylinux
Rockylinux
added 2026/06/25 12:5 p.m.6 views

keylime security update

An update is available for keylime. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Keylime is a TPM based highly scalable remote boot attestation and runtime...

6.3CVSS6AI score0.00121EPSS
Exploits0
NVD
NVD
added 2026/06/24 2:16 a.m.11 views

CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS0.00191EPSS
Exploits0References3
OSV
OSV
added 2026/06/24 2:16 a.m.4 views

UBUNTU-CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References5
OSV
OSV
added 2026/06/24 12:49 a.m.4 views

CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/24 12:49 a.m.10 views

CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/24 12:49 a.m.17 views

EUVD-2026-38641

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/24 12:49 a.m.36 views

CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS0.00191EPSS
Exploits0References3
CVE
CVE
added 2026/06/24 12:49 a.m.26 views

CVE-2026-12681

Summary: CVE-2026-12681 affects Google go-attestation prior to 0.6.1. The issue arises in parseEfiSignatureList(): the buffer is not advanced past vendor bytes before reading entries, enabling attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM ev...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References3
OSV
OSV
added 2026/06/22 3:12 p.m.2 views

OPENSUSE-SU-2026:21036-1 Security update for cosign

This update for cosign fixes the following issues Security issue: - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Non security issue: - Update to version 3.0.5 jscSLE-23879...

5.3CVSS5.8AI score0.00241EPSS
Exploits0References2
OSV
OSV
added 2026/06/22 3:10 p.m.3 views

SUSE-SU-2026:22344-1 Security update for cosign

This update for cosign fixes the following issues Security issue: - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Non security issue: - Update to version 3.0.5 jscSLE-23879...

5.3CVSS5.8AI score0.00241EPSS
Exploits0References3
OSV
OSV
added 2026/06/22 2:35 p.m.3 views

OPENSUSE-SU-2026:21025-1 Security update for keylime

This update for keylime fixes the following issue - CVE-2026-6420: use of hardcoded challenge nonce for TPM quote attestation allows for security bypass bsc1264265. Changes for keylime: - Update to version 7.14.2...

6.3CVSS5.8AI score0.00121EPSS
Exploits0References2
OSV
OSV
added 2026/06/22 2:27 p.m.3 views

SUSE-SU-2026:22326-1 Security update for keylime

This update for keylime fixes the following issue - CVE-2026-6420: use of hardcoded challenge nonce for TPM quote attestation allows for security bypass bsc1264265. Changes for keylime: - Update to version 7.14.2...

6.3CVSS5.8AI score0.00121EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/14 12:0 a.m.10 views

SUSE SLED15 / SLES15 Security Update : cosign (SUSE-SU-2026:2365-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:2365-1 advisory. This update for cosign fixes the following issue - CVE-2026-39395: Incorrect attestation verification due to malformed...

5.3CVSS5.4AI score0.00241EPSS
Exploits0References4
OSV
OSV
added 2026/06/12 3:4 p.m.9 views

GHSA-9R4W-JG96-92MV Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

Summary parseEfiSignatureList in attest/internal/events.go does not skip SignatureHeaderSize vendor bytes before reading EFISIGNATURELIST signature entries, violating UEFI specification section 31.4.1. Impact For hashSHA256SigGUID lists, attacker-controlled vendor header bytes are appended direct...

6.8CVSS5.6AI score0.00191EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/12 3:4 p.m.12 views

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

Summary parseEfiSignatureList in attest/internal/events.go does not skip SignatureHeaderSize vendor bytes before reading EFISIGNATURELIST signature entries, violating UEFI specification section 31.4.1. Impact For hashSHA256SigGUID lists, attacker-controlled vendor header bytes are appended direct...

5.5AI score
Exploits0References5Affected Software1
SUSE Linux
SUSE Linux
added 2026/06/11 7:58 a.m.13 views

Security update for cosign

This update for cosign fixes the following issue CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Changes for cosign: update to 3.0.6: Fix DSSE predicate check GHSA-w6c6-c85g-mmv6 4801 Handle whitespace-only certificate...

6.9CVSS5.4AI score0.00241EPSS
Exploits0References4
Rows per page
Query Builder