{"id":"CVE-2026-34986","summary":"Go JOSE affect by a panic in JWE decryption","details":"Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.","aliases":["GHSA-78h2-9frx-2jm8","GO-2026-4945"],"modified":"2026-07-15T01:49:11.143154252Z","published":"2026-04-06T16:22:45.353Z","related":["ALSA-2026:10135","ALSA-2026:19017","ALSA-2026:19135","ALSA-2026:19173","ALSA-2026:19186","ALSA-2026:19353","ALSA-2026:33722","ALSA-2026:35833","CGA-rq7r-7wq9-h37h","SUSE-SU-2026:1935-1","SUSE-SU-2026:1938-1","SUSE-SU-2026:21540-1","SUSE-SU-2026:21560-1","SUSE-SU-2026:21852-1","SUSE-SU-2026:21989-1","SUSE-SU-2026:22128-1","SUSE-SU-2026:22133-1","SUSE-SU-2026:22242-1","SUSE-SU-2026:22249-1","SUSE-SU-2026:22328-1","SUSE-SU-2026:22424-1","SUSE-SU-2026:2243-1","SUSE-SU-2026:22443-1","SUSE-SU-2026:22451-1","SUSE-SU-2026:22516-1","SUSE-SU-2026:2258-1","SUSE-SU-2026:2438-1","SUSE-SU-2026:2466-1","SUSE-SU-2026:2581-1","SUSE-SU-2026:2609-1","SUSE-SU-2026:2612-1","SUSE-SU-2026:2636-1","SUSE-SU-2026:2639-1","SUSE-SU-2026:2640-1","SUSE-SU-2026:2665-1","SUSE-SU-2026:2693-1","SUSE-SU-2026:2706-1","SUSE-SU-2026:2715-1","SUSE-SU-2026:2733-1","SUSE-SU-2026:2768-1","SUSE-SU-2026:2774-1","SUSE-SU-2026:2830-1","openSUSE-SU-2026:10529-1","openSUSE-SU-2026:10577-1","openSUSE-SU-2026:10613-1","openSUSE-SU-2026:10630-1","openSUSE-SU-2026:10631-1","openSUSE-SU-2026:10651-1","openSUSE-SU-2026:10654-1","openSUSE-SU-2026:10655-1","openSUSE-SU-2026:10677-1","openSUSE-SU-2026:10697-1","openSUSE-SU-2026:10698-1","openSUSE-SU-2026:10700-1","openSUSE-SU-2026:10702-1","openSUSE-SU-2026:10712-1","openSUSE-SU-2026:10744-1","openSUSE-SU-2026:11070-1","openSUSE-SU-2026:11107-1","openSUSE-SU-2026:11126-1","openSUSE-SU-2026:20669-1","openSUSE-SU-2026:20686-1","openSUSE-SU-2026:20711-1","openSUSE-SU-2026:20730-1","openSUSE-SU-2026:20809-1","openSUSE-SU-2026:20816-1","openSUSE-SU-2026:20940-1","openSUSE-SU-2026:20969-1","openSUSE-SU-2026:21010-1","openSUSE-SU-2026:21151-1","openSUSE-SU-2026:21210-1","openSUSE-SU-2026:21213-1","openSUSE-SU-2026:21244-1"],"database_specific":{"cwe_ids":["CWE-248"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34986.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34986.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10125"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10130"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10135"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:11070"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:11217"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:11512"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:11688"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:11856"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:11916"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:11996"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:12116"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:12277"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:12279"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:13791"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:13829"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:16696"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17040"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17121"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17123"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17287"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17448"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17458"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17459"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17468"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17474"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17547"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17550"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17598"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17789"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:18584"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:18585"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19017"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19099"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19108"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19135"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19173"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19186"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19353"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19375"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19719"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19720"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19721"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20034"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20041"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20569"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20607"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20609"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20946"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21017"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21703"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21709"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21769"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21931"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21932"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22258"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22260"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22347"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22423"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22450"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22465"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22629"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22714"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22840"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22937"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:23228"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:23241"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:23345"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:23361"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24471"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24475"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24477"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24479"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24482"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24484"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24853"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24977"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25127"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25187"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25194"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25206"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25248"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25250"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25252"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26054"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26568"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26585"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26636"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27001"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27004"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27044"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27063"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27856"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:28198"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:29854"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:30650"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:32991"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:33722"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34099"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34192"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34196"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34197"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34364"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34794"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:35833"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36820"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:37387"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:8490"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:8491"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:8493"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:9385"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:9388"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:9448"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:9453"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-34986"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34986.json"},{"type":"ADVISORY","url":"https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34986"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455470"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/go-jose/go-jose","events":[{"introduced":"a563785af9481120d75c419acf7bdd86a07cc1f1"},{"fixed":"be2f6548701d4ba561cd61c7d4a2f1289b66c273"},{"introduced":"2658f467ede28af28a7883041677ff460dda3f69"},{"fixed":"0e59876635f3dbf46d7b5e97b52bb75a3f96e7d9"}],"database_specific":{"extracted_events":[{"introduced":"3.0.0"},{"fixed":"3.0.5"},{"introduced":"4.0.0"},{"fixed":"4.1.4"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*"}}],"versions":["v3.0.4","v4.1.3","v4.1.2","v4.1.1","v4.1.0","v4.0.5","v4.0.4","v4.0.3","v3.0.3","v4.0.2","v4.0.1","v3.0.2","v4.0.0","v3.0.0-rc.1","v3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34986.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}