{"id":"CVE-2026-39395","summary":"Cosign's verify-blob-attestation reports false positive when payload parsing fails","details":"Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a \"Verified OK\" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.","aliases":["BIT-cosign-2026-39395","GHSA-w6c6-c85g-mmv6","GO-2026-5694"],"modified":"2026-07-15T01:49:01.295855645Z","published":"2026-04-07T20:06:28.798Z","related":["CGA-ppcm-jcwg-gwm4","SUSE-SU-2026:22344-1","SUSE-SU-2026:2365-1","openSUSE-SU-2026:10753-1","openSUSE-SU-2026:21036-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-754"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39395.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39395.json"},{"type":"ADVISORY","url":"https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39395"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sigstore/cosign","events":[{"introduced":"0"},{"fixed":"fecddd3c22045a39f52392e71e79f66854b41352"},{"introduced":"9b4b74c497119b5c28b6ca60e9c1ff15bbd7164a"},{"fixed":"f1ad3ee952313be5d74a49d67ba0aa8d0d5e351f"}],"database_specific":{"cpe":"cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.6.3"},{"introduced":"3.0.0"},{"fixed":"3.0.6"}],"source":"CPE_RANGE"}}],"versions":["v2.6.2","v3.0.5","v3.0.4","v2.6.1","v3.0.3","v3.0.2","v3.0.1","v3.0.0","v2.6.0","v2.5.3","v2.5.2","v2.5.1","v2.5.0","v2.4.3","v2.4.2","v2.4.1","v2.4.0","v2.3.0","v2.2.4","v2.2.3","v2.2.2","v2.2.1","v2.2.0","v2.1.1","v2.1.0","v2.0.2","v2.0.1","v2.0.0","v2.0.0-rc.3","v2.0.0-rc.2","v2.0.0-rc.1","v2.0.0-rc.0","v1.13.1","v1.13.0","v1.12.1","v1.12.0","v1.11.1","v1.11.0","v1.10.1","v1.10.0","v1.10.0-rc.1","v1.9.0","v1.8.0","v1.7.2","v1.7.1","v1.7.0","v1.6.0","v1.5.1","v1.5.0","v1.4.1","v1.4.0","v1.3.1","v1.3.0","v1.2.1","v1.2.0","cosigned-v0.0.3-dev","cosigned-v0.0.2-dev","cosigned-v0.0.1-dev","v1.1.0","v1.0.1","v1.0.0","v0.6.0","v0.5.0","v0.4.0","v0.3.1","v0.3.0","v0.2.0","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39395.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}