Medium severity4.3NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026
CVE-2026-39395
CVE-2026-39395
Description
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sigstore/cosignGo | >= 3.0.0, < 3.0.6 | 3.0.6 |
github.com/sigstore/cosignGo | < 2.6.3 | 2.6.3 |
Affected products
60- osv-coords59 versionspkg:apk/chainguard/aactlpkg:apk/chainguard/chainctlpkg:apk/chainguard/chainctl-fipspkg:apk/chainguard/crossplane-1.20pkg:apk/chainguard/crossplane-2.0pkg:apk/chainguard/crossplane-2.1pkg:apk/chainguard/crossplane-2.2pkg:apk/chainguard/crossplane-2.2-crankpkg:apk/chainguard/crossplane-fips-1.20pkg:apk/chainguard/crossplane-fips-2.1pkg:apk/chainguard/crossplane-fips-2.2pkg:apk/chainguard/crossplane-fips-2.2-crankpkg:apk/chainguard/ko-fipspkg:apk/chainguard/kubescapepkg:apk/chainguard/kubescape-serverpkg:apk/chainguard/kubescape-server-downloaderpkg:apk/chainguard/kubescape-server-fipspkg:apk/chainguard/kubescape-server-fips-downloaderpkg:apk/chainguard/kyverno-1.17pkg:apk/chainguard/kyverno-background-controller-1.17pkg:apk/chainguard/kyverno-cleanup-controller-1.17pkg:apk/chainguard/kyverno-cli-1.17pkg:apk/chainguard/kyverno-init-container-1.17pkg:apk/chainguard/kyverno-notation-aws-fipspkg:apk/chainguard/kyverno-reports-controller-1.17pkg:apk/chainguard/policy-controllerpkg:apk/chainguard/policy-controller-fipspkg:apk/chainguard/policy-controller-testerpkg:apk/chainguard/policy-controller-tester-fipspkg:apk/chainguard/reports-serverpkg:apk/chainguard/teleport-18.6-kube-agent-updaterpkg:apk/chainguard/teleport-18-kube-agent-updaterpkg:apk/chainguard/trivypkg:apk/chainguard/trivy-fipspkg:apk/chainguard/trivy-operatorpkg:apk/chainguard/trivy-operator-fipspkg:apk/chainguard/zotpkg:apk/wolfi/aactlpkg:apk/wolfi/crossplane-2.1pkg:apk/wolfi/crossplane-2.2pkg:apk/wolfi/crossplane-2.2-crankpkg:apk/wolfi/kubescapepkg:apk/wolfi/kyverno-1.17pkg:apk/wolfi/kyverno-background-controller-1.17pkg:apk/wolfi/kyverno-cleanup-controller-1.17pkg:apk/wolfi/kyverno-cli-1.17pkg:apk/wolfi/kyverno-init-container-1.17pkg:apk/wolfi/kyverno-reports-controller-1.17pkg:apk/wolfi/policy-controllerpkg:apk/wolfi/policy-controller-testerpkg:apk/wolfi/teleport-18.6-kube-agent-updaterpkg:apk/wolfi/teleport-18-kube-agent-updaterpkg:apk/wolfi/trivypkg:apk/wolfi/trivy-operatorpkg:apk/wolfi/zotpkg:bitnami/cosignpkg:golang/github.com/sigstore/cosignpkg:rpm/opensuse/cosign&distro=openSUSE%20Tumbleweedpkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7
< 0.4.12-r55+ 58 more
- (no CPE)range: < 0.4.12-r55
- (no CPE)range: < 0.2.295-r1
- (no CPE)range: < 0.2.295-r0
- (no CPE)range: < 1.20.10-r2
- (no CPE)range: < 2.0.8-r9
- (no CPE)range: < 2.1.7-r3
- (no CPE)range: < 2.2.3-r3
- (no CPE)range: < 2.2.3-r3
- (no CPE)range: < 1.20.10-r3
- (no CPE)range: < 2.1.7-r3
- (no CPE)range: < 2.2.3-r3
- (no CPE)range: < 2.2.3-r3
- (no CPE)range: < 0.19.0-r0
- (no CPE)range: < 4.0.9-r5
- (no CPE)range: < 4.0.9-r6
- (no CPE)range: < 4.0.9-r6
- (no CPE)range: < 4.0.9-r6
- (no CPE)range: < 4.0.9-r6
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.1-r55
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 0.15.1-r14
- (no CPE)range: < 0.15.1-r10
- (no CPE)range: < 0.15.1-r14
- (no CPE)range: < 0.15.1-r10
- (no CPE)range: < 0
- (no CPE)range: < 18.6.8-r28
- (no CPE)range: < 18.9.2-r0
- (no CPE)range: < 0.71.2-r2
- (no CPE)range: < 0.71.2-r2
- (no CPE)range: < 0.30.1-r20
- (no CPE)range: < 0.30.1-r16
- (no CPE)range: < 2.1.18-r1
- (no CPE)range: < 0.4.12-r55
- (no CPE)range: < 2.1.7-r3
- (no CPE)range: < 2.2.3-r3
- (no CPE)range: < 2.2.3-r3
- (no CPE)range: < 4.0.9-r5
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 1.17.2-r14
- (no CPE)range: < 0.15.1-r14
- (no CPE)range: < 0.15.1-r14
- (no CPE)range: < 18.6.8-r28
- (no CPE)range: < 18.9.2-r0
- (no CPE)range: < 0.71.2-r2
- (no CPE)range: < 0.30.1-r20
- (no CPE)range: < 2.1.18-r1
- (no CPE)range: < 2.6.3
- (no CPE)range: >= 3.0.0, < 3.0.6
- (no CPE)range: < 3.0.6-1.1
- (no CPE)range: < 3.0.6-150400.3.42.1
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-w6c6-c85g-mmv6ghsaADVISORY
- github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39395ghsaADVISORY
News mentions
0No linked articles in our index yet.