CVE-2026-34986
Panic-Inducing Key Unwrap Vulnerability in Go JOSE Causes DoS
Publication date: 2026-04-06
Last updated on: 2026-05-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go-jose_project | go-jose | From 3.0.0 (inc) to 3.0.5 (exc) |
| go-jose_project | go-jose | From 4.0.0 (inc) to 4.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service (DoS) due to a panic in the Go runtime when decrypting certain JSON Web Encryption (JWE) objects. It does not result in any loss of confidentiality or integrity.
Since the vulnerability only leads to denial of service and does not expose or alter sensitive data, it does not directly impact compliance with data protection standards such as GDPR or HIPAA, which primarily focus on confidentiality, integrity, and availability of personal data.
However, denial of service could indirectly affect availability requirements under these regulations if exploited in a production environment, potentially causing service interruptions.
Can you explain this vulnerability to me?
CVE-2026-34986 is a vulnerability in the Go library github.com/go-jose/go-jose that affects versions prior to v3.0.5 and v4 versions before 4.1.4. It occurs during the decryption of JSON Web Encryption (JWE) objects when the 'alg' field specifies a key wrapping algorithm (any algorithm ending with 'KW' except for A128GCMKW, A192GCMKW, and A256GCMKW) and the 'encrypted_key' field is empty.
The vulnerability causes a panic in the Go runtime because the function cipher.KeyUnwrap() attempts to allocate a slice with zero or negative length based on the empty 'encrypted_key'. This panic can be triggered through normal JWE parsing and decryption workflows or by directly calling cipher.KeyUnwrap() with ciphertext shorter than 16 bytes.
If the accepted key algorithms list excludes key wrapping algorithms, parsing fails safely and the vulnerability is not exploitable.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition by causing the application to panic during the decryption process. The panic results from an attempt to allocate memory with an invalid size, which crashes the Go runtime.
The impact is limited to availability; there is no loss of confidentiality or integrity.
The attack vector is network-based, requires no privileges or user interaction, and does not change the security scope.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for panics or crashes in applications using the go-jose library versions prior to 3.0.5 and 4.1.4 when decrypting JSON Web Encryption (JWE) objects.
Specifically, detection involves checking if JWE objects with a key wrapping algorithm (ending in KW except A128GCMKW, A192GCMKW, and A256GCMKW) have an empty encrypted_key field, which triggers the panic.
To detect this on your system, you can:
- Monitor application logs for runtime panics related to cipher.KeyUnwrap() or slice allocation errors.
- Inspect JWE tokens being processed to verify if the encrypted_key field is empty when the alg field indicates a vulnerable key wrapping algorithm.
Suggested commands depend on your environment, but examples include:
- Using grep or similar tools to search logs for panic messages: `grep -i panic /var/log/app.log`
- Parsing JWE tokens to check the encrypted_key field, for example using jq on JSON representations: `echo '{"encrypted_key":""}' | jq '.encrypted_key | length'` to detect empty fields.
- If you have access to the source or runtime, adding instrumentation or debug logging around calls to ParseEncrypted() and Decrypt() to log suspicious inputs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the go-jose library to version 3.0.5 or later, or 4.1.4 or later, where this vulnerability is fixed.
- Exclude key wrapping algorithms (those ending with KW except A128GCMKW, A192GCMKW, and A256GCMKW) from the list of accepted key algorithms during JWE parsing to prevent the vulnerable code path from being executed.
- Prevalidate JWE objects before decryption to ensure the encrypted_key field is not empty.
- For applications accepting JWE Compact Serialization, validate the relevant field (the data between the first and second periods) to ensure it is not empty.