CVE-2026-24122 Overview
CVE-2026-24122 is a Certificate Validation Bypass vulnerability in Cosign, the code signing and transparency tool for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will incorrectly be considered valid during verification, even when the provided timestamp indicates the issuing certificate should be expired.
When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp from the Rekor transparency log, a timestamp authority, or the current time. The root and all issuing certificates are incorrectly assumed to be valid during the leaf certificate's validity period.
Critical Impact
Private PKI deployments with customized certificate hierarchies may accept signatures from expired issuing certificates, potentially allowing previously-invalidated signing keys to authenticate artifacts. Users of the public Sigstore infrastructure are not affected.
Affected Products
- Cosign versions 3.0.4 and below
- Private PKI deployments with customized certificate hierarchies
- Container and binary verification workflows using affected Cosign versions
Discovery Timeline
- 2026-02-19 - CVE-2026-24122 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-24122
Vulnerability Analysis
This vulnerability stems from improper certificate validation (CWE-295) in Cosign's signature verification logic. The flaw occurs in the certificate chain validation process where the timing checks for issuing certificates are inadequate.
During artifact signature verification, Cosign validates the certificate chain using the leaf certificate's "not before" timestamp. However, the verification process fails to properly check whether issuing certificates in the chain have expired relative to the timestamp being used for validation. The system incorrectly assumes that root and intermediate certificates remain valid throughout the entire validity period of the leaf certificate.
This creates a window where an issuing certificate that has expired can still be used to validate signatures if the leaf certificate issued by that CA remains within its own validity period. In properly configured public Sigstore infrastructure, this issue has no impact because the PKI is designed with appropriate certificate lifetimes.
Root Cause
The root cause is improper certificate chain expiration validation in Cosign's verification logic. The verification process validates the leaf certificate's expiry against external timestamps (Rekor transparency log, timestamp authority, or current time) but does not perform the same temporal validation against issuing certificates in the chain.
Attack Vector
The vulnerability is exploitable via a network-based attack with high complexity. An attacker would need to:
- Operate or compromise a private PKI deployment using Cosign
- Possess a valid leaf certificate issued by an expired intermediate or root CA
- Sign artifacts after the issuing certificate has expired but while the leaf certificate remains valid
- Present these signatures to verification systems running vulnerable Cosign versions
The attack requires specific PKI misconfigurations in private deployments and does not affect users of the public Sigstore infrastructure.
Detection Methods for CVE-2026-24122
Indicators of Compromise
- Artifact signatures validated against certificates where the issuing CA has expired
- Verification logs showing successful validation of signatures with expired intermediate certificates
- Certificate chain validation events where issuing certificate validity periods have elapsed
Detection Strategies
- Audit certificate chain validation logs for signatures accepted after issuing certificate expiration dates
- Review PKI configurations to identify leaf certificates with validity periods extending beyond their issuing certificates
- Monitor for signature verification operations using Cosign versions 3.0.4 and below in private PKI environments
Monitoring Recommendations
- Implement alerting on certificate validation events involving expired issuing certificates
- Monitor Cosign version deployments across container registries and CI/CD pipelines
- Review transparency log entries for signatures that may have bypassed proper chain validation
How to Mitigate CVE-2026-24122
Immediate Actions Required
- Upgrade Cosign to version 3.0.5 or later immediately
- Audit existing signatures in private PKI deployments for potential exploitation
- Review certificate chain configurations to ensure issuing certificates have validity periods that exceed leaf certificates
Patch Information
Sigstore has released Cosign version 3.0.5 which addresses this certificate chain validation issue. The fix ensures that issuing certificates are properly validated against the timestamp used for verification, not just the leaf certificate's validity period.
- GitHub Release v3.0.5 - Official patched release
- GitHub Commit Details - Specific fix implementation
- GitHub Security Advisory GHSA-wfqv-66vq-46rm - Full security advisory
Workarounds
- Ensure issuing certificate validity periods always exceed leaf certificate validity periods in private PKI configurations
- Use the public Sigstore infrastructure which is not affected by this vulnerability
- Implement additional certificate chain validation checks at the application level before Cosign verification
# Upgrade Cosign to patched version
go install github.com/sigstore/cosign/v3/cmd/cosign@v3.0.5
# Verify installed version
cosign version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
