Bug 2432169 (CVE-2026-23831) - CVE-2026-23831 github.com/sigstore/rekor: Rekor denial of service
Summary: CVE-2026-23831 github.com/sigstore/rekor: Rekor denial of service
Keywords:
Status: NEW
Alias: CVE-2026-23831
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2432178 2432184 2432187 2432200 2432176 2432177 2432179 2432180 2432181 2432182 2432183 2432185 2432186 2432188 2432189 2432190 2432191 2432192 2432193 2432194 2432195 2432196 2432197 2432198 2432199
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-22 22:01 UTC by OSIDB Bzimport
Modified: 2026-04-30 04:17 UTC (History)
97 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-22 22:01:44 UTC 
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
Note You need to log in before you can comment on or make changes to this bug.