CVE-2026-34986 Overview
CVE-2026-34986 is a denial of service vulnerability in the Go JOSE library, which provides an implementation of the Javascript Object Signing and Encryption (JOSE) set of standards in Go. The library supports JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to versions 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will cause a panic condition when the alg field indicates a key wrapping algorithm (algorithms ending in KW, excluding A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty.
Critical Impact
Remote attackers can trigger a denial of service condition by sending specially crafted JWE objects with empty encrypted_key fields to applications using vulnerable versions of Go JOSE, causing application crashes without requiring authentication.
Affected Products
- Go JOSE versions prior to 4.1.4
- Go JOSE versions prior to 3.0.5
- Applications using cipher.KeyUnwrap() with ciphertext parameters less than 16 bytes
Discovery Timeline
- 2026-04-06 - CVE-2026-34986 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-34986
Vulnerability Analysis
The vulnerability exists in the key unwrapping mechanism within Go JOSE's JWE implementation. When processing encrypted JWE objects, the library's cipher.KeyUnwrap() function in key_wrap.go attempts to allocate a slice based on the length of the encrypted_key field. If the encrypted_key field is empty or contains fewer than 16 bytes, the function calculates a zero or negative slice length, triggering a Go runtime panic.
This panic condition is classified under CWE-248 (Uncaught Exception), indicating that the application fails to properly handle exceptional conditions. The vulnerability can be exploited remotely over the network without any authentication or user interaction, making it particularly dangerous for internet-facing services that process JWE tokens.
Root Cause
The root cause is insufficient input validation in the cipher.KeyUnwrap() function before attempting slice allocation. The code path does not verify that the encrypted_key field contains at least the minimum required bytes (16 bytes) before performing arithmetic operations to determine the output slice size. When the key wrapping algorithm processes an empty or undersized encrypted_key, the resulting slice allocation request causes an unrecoverable panic.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability through the following code path:
- Send a maliciously crafted JWE object to a target application
- The application parses the JWE using ParseEncrypted(), ParseEncryptedJSON(), or ParseEncryptedCompact()
- When Decrypt() is called on the resulting object with a key wrapping algorithm specified in the alg field and an empty encrypted_key field, the panic is triggered
- The application crashes, resulting in denial of service
Applications that restrict accepted key algorithms to exclude key wrapping algorithms (those ending in KW, except A128GCMKW, A192GCMKW, and A256GCMKW) will fail parsing before reaching the vulnerable code path. The vulnerability can also be triggered by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes, though this direct call pattern is less common.
Detection Methods for CVE-2026-34986
Indicators of Compromise
- Unexpected application crashes or restarts in services processing JWE tokens
- Go runtime panic logs indicating slice allocation errors in key_wrap.go
- Abnormal JWE objects in request logs with empty or missing encrypted_key fields
- Increased rate of malformed JWT/JWE token submissions from specific sources
Detection Strategies
- Monitor application logs for Go panic stack traces referencing cipher.KeyUnwrap or key_wrap.go
- Implement request logging to capture JWE objects with key wrapping algorithms and empty encrypted keys
- Deploy network-level inspection for JWE tokens with suspicious structures targeting authenticated endpoints
- Use dependency scanning tools to identify applications using vulnerable Go JOSE versions (< 4.1.4 or < 3.0.5)
Monitoring Recommendations
- Configure alerting on application crash events and automatic restart patterns
- Monitor process uptime metrics for services handling JWE token processing
- Review inbound traffic patterns for repeated malformed token submissions
- Implement rate limiting on endpoints accepting JWE tokens to mitigate DoS impact
How to Mitigate CVE-2026-34986
Immediate Actions Required
- Upgrade Go JOSE to version 4.1.4 or later for v4.x installations
- Upgrade Go JOSE to version 3.0.5 or later for v3.x installations
- Restrict accepted key algorithms to exclude key wrapping algorithms if not required by your application
- Implement recovery middleware to gracefully handle panics and maintain service availability
Patch Information
The vulnerability has been fixed in Go JOSE versions 4.1.4 and 3.0.5. The patches add proper validation of the encrypted_key field length before attempting slice allocation in the cipher.KeyUnwrap() function. For complete technical details and patch information, refer to the GitHub Security Advisory or the Go JOSE package documentation.
Workarounds
- Configure ParseEncrypted() to only accept algorithms that do not include key wrapping (algorithms not ending in KW)
- Implement input validation middleware to reject JWE objects with empty encrypted_key fields before processing
- Add panic recovery handlers in your application to prevent complete service crashes
- Deploy the service behind a reverse proxy that can validate token structure before forwarding requests
# Update Go JOSE dependency to patched version
go get github.com/go-jose/go-jose/v4@v4.1.4
# Or for v3.x
go get github.com/go-jose/go-jose/v3@v3.0.5
# Verify installed version
go list -m github.com/go-jose/go-jose/v4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
