GHSA-wfqv-66vq-46rm · Severity: low · Ecosystem: go — Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped
Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.
Conclusion & alert: CVE-2026-24122 is rated Exploit Available (50/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.01%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-02-20 | — | 0.01% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 3.7 | 3.1 | LOW |
|
2.2 | 1.4 | [email protected] |
GHSA-wfqv-66vq-46rm · Severity: low · Ecosystem: go — Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2026-24122: 1 source package rows (cosign); 24 state rows across 2 repos (3.23-community, edge-community); fixed 0, open 24. | https://security.alpinelinux.org/vuln/CVE-2026-24122 |
debian
|
not yet assigned | CVE-2026-24122 not yet assigned priority: Debian including 1 source packages (cosign), 3 status rows across 3 suites (forky, sid, trixie): resolved 2, open 1. | https://security-tracker.debian.org/tracker/CVE-2026-24122 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2026-24122 |
suse
|
medium | CVE-2026-24122 severity moderate: SUSE including 12 source package names (cosign-3.0.5-1.1, cosign-3.0.5-150400.3.35.1, …), 47 product×package rows across 38 product lines (Image SL-Micro, Image SL-Micro-Azure, … (38 product lines)): Fixed 46, First Fixed 1. | https://www.suse.com/security/cve/CVE-2026-24122/ |
ubuntu
|
medium | CVE-2026-24122 medium priority: Ubuntu including 1 source packages (cosign), 4 status rows across 4 suites (jammy, noble, questing, upstream): DNE 2, needs-triage 2. | https://ubuntu.com/security/CVE-2026-24122 |
| URL | Tags |
|---|---|
| https://github.com/sigstore/cosign/commit/3c9a7363f563db76d78e2de2cabd945450f3781e | Patch |
| https://github.com/sigstore/cosign/releases/tag/v3.0.5 | Product Release Notes |
| https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm | Exploit Vendor Advisory |