CVE-2026-23831 - Vulnerability Details

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd
https://github.com/sigstore/rekor/releases/tag/v1.5.0
https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833
https://nvd.nist.gov/vuln/detail/CVE-2026-23831
https://www.cve.org/CVERecord?id=CVE-2026-23831

History

Fri, 23 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-23831 https://www.cve.org/CVERecord?id=CVE-2026-23831
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
Title		Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message
Weaknesses		CWE-476
References		https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd https://github.com/sigstore/rekor/releases/tag/v1.5.0 https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-22T21:26:22.183Z

Updated: 2026-01-22T21:26:22.183Z

Reserved: 2026-01-16T15:46:40.841Z

Link: CVE-2026-23831

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-22T22:16:19.523

Modified: 2026-01-22T22:16:19.523

Link: CVE-2026-23831

Redhat

Severity : Moderate

Publid Date: 2026-01-22T21:26:22Z

Links: CVE-2026-23831 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object