CVE-2026-24122
Received Received - Intake
Certificate Expiry Validation Bypass in Cosign

Publication date: 2026-02-19

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24122
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sigstore cosign to 3.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cosign versions 3.0.4 and below, which is a tool used for code signing and transparency for containers and binaries. The issue is that an issuing certificate that expires before the leaf certificate can still be considered valid during verification if the provided timestamp suggests the issuing certificate should be expired. Essentially, Cosign verifies the certificate chain based on the leaf certificate's "not before" timestamp and later checks the leaf certificate's expiry using a signed timestamp or current time, but it assumes the root and issuing certificates remain valid during the leaf certificate's validity period. This can lead to acceptance of signatures with expired issuing certificates.

Impact Analysis

The impact of this vulnerability is limited. It may affect private deployments of Cosign that use customized Public Key Infrastructures (PKIs), potentially allowing acceptance of signatures that should be considered invalid due to expired issuing certificates. However, there is no impact on users of the public Sigstore infrastructure. The vulnerability has a low CVSS score of 3.7, indicating limited severity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Cosign to version 3.0.5 or later, where the issue has been fixed.

This vulnerability affects private deployments with customized PKIs, so ensure that your environment is updated accordingly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24122. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart