Bug 2432169 (CVE-2026-23831)

Summary: CVE-2026-23831 github.com/sigstore/rekor: Rekor denial of service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adistefa, agarcial, akoudelk, alcohan, anjoseph, anpicker, aoconnor, asegurap, bbrownin, bdettelb, bparees, carogers, dfreiber, dhanak, doconnor, drosa, drow, dsimansk, dymurray, eglynn, erezende, gparvin, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jcammara, jcantril, jfula, jjoyce, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jowilson, jprabhak, jsamir, jschluet, kegrant, kingland, koliveir, kshier, kverlaen, lball, lbragsta, lgamliel, lhh, ljawale, lphiri, luizcosta, mabashia, manissin, matzew, mburns, mgarciac, mnovotny, ngough, nweather, nyancey, ometelka, owatkins, pahickey, pakotvan, pbohmill, pbraun, pgaikwad, ptisnovs, rbobbitt, rfreiman, rhaigner, rjohnson, rojacob, sakbas, sausingh, sdawley, shvarugh, simaishi, slucidi, smcdonal, sseago, stcannon, sthirugn, syedriko, teagle, tfister, thavo, veshanka, vkumar, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2432178, 2432184, 2432187, 2432200, 2432176, 2432177, 2432179, 2432180, 2432181, 2432182, 2432183, 2432185, 2432186, 2432188, 2432189, 2432190, 2432191, 2432192, 2432193, 2432194, 2432195, 2432196, 2432197, 2432198, 2432199    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-22 22:01:44 UTC
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.