Nixpkgs security tracker

Untriaged

Permalink CVE-2026-39395

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 week ago

Cosign's verify-blob-attestation reports false positive when payload parsing fails

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

References

https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6 x_refsource_CONFIRM

Affected products

cosign

==>= 3.0.0, < 3.0.6
==< 2.6.3

Matching in nixpkgs

pkgs.cosign

Container Signing CLI with support for ephemeral keys and Sigstore signing

nixos-unstable 3.0.5
- nixpkgs-unstable 3.0.5
- nixos-unstable-small 3.0.5
nixos-25.11 3.0.5
- nixos-25.11-small 3.0.5
- nixpkgs-25.11-darwin 3.0.5

Package maintainers

@LeSuisse Thomas Gerbet <thomas@gerbet.me>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.cosign

Package maintainers