Bug 2455470 (CVE-2026-34986)

Summary:	CVE-2026-34986 github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	aazores, abuckta, agarcial, akoudelk, alcohan, anjoseph, anpicker, aoconnor, aprice, asegurap, bdettelb, bparees, caswilli, cdrage, ckandaga, cmah, crizzo, derez, dfreiber, dhanak, dkuc, doconnor, drosa, drow, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, erezende, eshamard, fdeutsch, gparvin, gtanzill, hasun, ibolton, jbalunas, jburrell, jbuscemi, jcantril, jdobes, jeder, jfula, jjoyce, jkoehler, jlanda, jmatthew, jmitchel, jmontleo, jolong, jowilson, jprabhak, jpretori, jsamir, jschluet, jsherril, jvasik, kaycoth, kbempah, kgaikwad, kingland, kshier, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, ljawale, lphiri, luizcosta, manissin, mburns, mgarciac, mhess, mnovotny, mstipich, mwringe, ngough, nweather, nyancey, oezr, ometelka, orabin, oramraz, pahickey, pakotvan, pbohmill, pgaikwad, pjindal, ptisnovs, pvasanth, rblanco, rbobbitt, rekumar, rexwhite, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rochandr, rojacob, rushinde, sakbas, sausingh, sdawley, sfeifer, simaishi, slucidi, smcdonal, smullick, solenoci, sseago, stcannon, sthirugn, stirabos, syedriko, teagle, thason, veshanka, vkarehfa, vkumar, vle, vvoronko, vwilson, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2455616, 2455618, 2455621, 2455622, 2455624, 2455628, 2455637, 2455640, 2455641, 2455646, 2455648, 2455649, 2455650, 2455651, 2455652, 2455653, 2455655, 2455657, 2455658, 2455660, 2455661, 2455662, 2455666, 2455668, 2455670, 2455671, 2455676, 2455614, 2455630, 2455636, 2455638, 2455639, 2455642, 2455643, 2455644, 2455645, 2455647, 2455654, 2455656, 2455659, 2455663, 2455664, 2455665, 2455667, 2455669, 2455673, 2455674, 2455675
Bug Blocks:

Description OSIDB Bzimport 2026-04-06 17:01:58 UTC

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Comment 4 errata-xmlrpc 2026-04-24 07:40:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:10135 https://access.redhat.com/errata/RHSA-2026:10135

Comment 9 errata-xmlrpc 2026-05-13 01:52:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:16696 https://access.redhat.com/errata/RHSA-2026:16696

Comment 10 errata-xmlrpc 2026-05-13 13:16:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:17040 https://access.redhat.com/errata/RHSA-2026:17040

Comment 11 errata-xmlrpc 2026-05-13 19:24:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:17287 https://access.redhat.com/errata/RHSA-2026:17287

Comment 17 errata-xmlrpc 2026-05-19 13:02:13 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19017 https://access.redhat.com/errata/RHSA-2026:19017

Comment 18 errata-xmlrpc 2026-05-19 16:07:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19135 https://access.redhat.com/errata/RHSA-2026:19135

Comment 19 errata-xmlrpc 2026-05-19 17:58:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19173 https://access.redhat.com/errata/RHSA-2026:19173

Comment 20 errata-xmlrpc 2026-05-19 18:00:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19186 https://access.redhat.com/errata/RHSA-2026:19186

Comment 21 errata-xmlrpc 2026-05-19 21:39:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19353 https://access.redhat.com/errata/RHSA-2026:19353

Comment 22 errata-xmlrpc 2026-05-20 16:40:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:19719 https://access.redhat.com/errata/RHSA-2026:19719

Comment 23 errata-xmlrpc 2026-05-20 16:48:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:19721 https://access.redhat.com/errata/RHSA-2026:19721

Comment 24 errata-xmlrpc 2026-05-20 16:53:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:19720 https://access.redhat.com/errata/RHSA-2026:19720

Comment 25 errata-xmlrpc 2026-05-26 03:19:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:20569 https://access.redhat.com/errata/RHSA-2026:20569

Comment 26 errata-xmlrpc 2026-05-26 03:54:17 UTC

This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:17789 https://access.redhat.com/errata/RHSA-2026:17789

Comment 27 errata-xmlrpc 2026-05-26 05:17:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:20609 https://access.redhat.com/errata/RHSA-2026:20609

Comment 28 errata-xmlrpc 2026-05-26 05:31:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:20607 https://access.redhat.com/errata/RHSA-2026:20607

Comment 30 errata-xmlrpc 2026-06-02 11:08:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22450 https://access.redhat.com/errata/RHSA-2026:22450

Comment 31 errata-xmlrpc 2026-06-03 08:01:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22714 https://access.redhat.com/errata/RHSA-2026:22714

Comment 32 errata-xmlrpc 2026-06-03 18:50:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22937 https://access.redhat.com/errata/RHSA-2026:22937

Comment 33 errata-xmlrpc 2026-06-04 13:10:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:23228 https://access.redhat.com/errata/RHSA-2026:23228

Comment 37 errata-xmlrpc 2026-06-11 13:32:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:25248 https://access.redhat.com/errata/RHSA-2026:25248

Comment 38 errata-xmlrpc 2026-06-11 13:48:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:25250 https://access.redhat.com/errata/RHSA-2026:25250

Comment 39 errata-xmlrpc 2026-06-11 13:49:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:25252 https://access.redhat.com/errata/RHSA-2026:25252

Comment 40 errata-xmlrpc 2026-06-15 19:35:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:26054 https://access.redhat.com/errata/RHSA-2026:26054