CVE-2026-24122

Published: Feb 19, 2026

Modified: Feb 20, 2026

PUBLISHED

CVSS v3.1

3.7

LOW

Description

Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.

Vendor	Product	Versions
sigstore	cosign	affected `< 3.0.5`

Weaknesses (CWE)

CWE-295

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm

x_refsource_CONFIRM

https://github.com/sigstore/cosign/commit/3c9a7363f563db76d78e2de2cabd945450f3781e

x_refsource_MISC

https://github.com/sigstore/cosign/releases/tag/v3.0.5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-24122

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References