CVE-2026-39395

EUVD-2026-19919

07.04.2026, 20:16

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Affected Products (NVD)

Vendor	Product	Version
sigstore	cosign	𝑥 < 2.6.3
sigstore	cosign	3.0.0 ≤ 𝑥 < 3.0.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cosign

forky	2.6.3-1 fixed
sid	2.6.3-1 fixed
trixie	no-dsa

golang-github-sigstore-cosign-v2

forky	2.6.3-2 fixed
sid	2.6.3-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

cosign

jammy	dne
noble	dne
questing	needs-triage
resolute	needs-triage

Common Weakness Enumeration

CWE-754 - Improper Check for Unusual or Exceptional Conditions
The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.

References

https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6