596 matches found
PYSEC-2026-326 dcap-qvl has Missing Verification for QE Identity
Impact This vulnerability involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral including qeidentity, qeidentitysignature, and qeidentityissuerchain from the PCCS. However, it skips to verify the QE Identity signature...
GO-2026-5694 Cosign's verify-blob-attestation reports false positive when payload parsing fails in github.com/sigstore/cosign
Cosign's verify-blob-attestation reports false positive when payload parsing fails in github.com/sigstore/cosign...
GO-2026-5298 Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() in github.com/google/go-attestation
Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList in github.com/google/go-attestation...
RLSA-2026:28582 Moderate: keylime security update
Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. Security Fixes: keylime: Keylime: Security bypass due to hardcoded TPM quote nonce CVE-2026-6420 For more details about the security issues, including the impact, a CVSS score,...
keylime security update
An update is available for keylime. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Keylime is a TPM based highly scalable remote boot attestation and runtime...
CVE-2026-12681
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...
UBUNTU-CVE-2026-12681
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...
CVE-2026-12681
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...
CVE-2026-12681
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...
EUVD-2026-38641
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...
CVE-2026-12681
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...
CVE-2026-12681
Summary: CVE-2026-12681 affects Google go-attestation prior to 0.6.1. The issue arises in parseEfiSignatureList(): the buffer is not advanced past vendor bytes before reading entries, enabling attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM ev...
OPENSUSE-SU-2026:21036-1 Security update for cosign
This update for cosign fixes the following issues Security issue: - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Non security issue: - Update to version 3.0.5 jscSLE-23879...
SUSE-SU-2026:22344-1 Security update for cosign
This update for cosign fixes the following issues Security issue: - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Non security issue: - Update to version 3.0.5 jscSLE-23879...
OPENSUSE-SU-2026:21025-1 Security update for keylime
This update for keylime fixes the following issue - CVE-2026-6420: use of hardcoded challenge nonce for TPM quote attestation allows for security bypass bsc1264265. Changes for keylime: - Update to version 7.14.2...
SUSE-SU-2026:22326-1 Security update for keylime
This update for keylime fixes the following issue - CVE-2026-6420: use of hardcoded challenge nonce for TPM quote attestation allows for security bypass bsc1264265. Changes for keylime: - Update to version 7.14.2...
SUSE SLED15 / SLES15 Security Update : cosign (SUSE-SU-2026:2365-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:2365-1 advisory. This update for cosign fixes the following issue - CVE-2026-39395: Incorrect attestation verification due to malformed...
GHSA-9R4W-JG96-92MV Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()
Summary parseEfiSignatureList in attest/internal/events.go does not skip SignatureHeaderSize vendor bytes before reading EFISIGNATURELIST signature entries, violating UEFI specification section 31.4.1. Impact For hashSHA256SigGUID lists, attacker-controlled vendor header bytes are appended direct...
Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()
Summary parseEfiSignatureList in attest/internal/events.go does not skip SignatureHeaderSize vendor bytes before reading EFISIGNATURELIST signature entries, violating UEFI specification section 31.4.1. Impact For hashSHA256SigGUID lists, attacker-controlled vendor header bytes are appended direct...
Security update for cosign
This update for cosign fixes the following issue CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Changes for cosign: update to 3.0.6: Fix DSSE predicate check GHSA-w6c6-c85g-mmv6 4801 Handle whitespace-only certificate...