CVE-2026-23831
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23831
EUVD
EUVD-2026-3809
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation rekor to 1.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Rekor versions 1.4.3 and below, where the entry implementation can panic due to attacker-controlled input when processing an entry with an empty spec.message. Specifically, the validate() function returns success when the message is empty, leaving a variable uninitialized. Later, the Canonicalize() function dereferences this uninitialized variable, causing a nil pointer dereference and a panic in the Rekor process thread. This results in a 500 error response to the client, but the service continues running.

Impact Analysis

The vulnerability can cause a panic in a thread within the Rekor process, resulting in a 500 error message being sent to clients. However, the overall service continues to run, so the impact on availability is minimal. There is no impact on confidentiality or integrity.

Mitigation Strategies

Upgrade Rekor to version 1.5.0 or later, as this version contains the fix for the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23831. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart