DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24122: Time Travelers & Zombie Chains: Deep Dive into CVE-2026-24122 in Sigstore Cosign

#security #cve #cybersecurity

Time Travelers & Zombie Chains: Deep Dive into CVE-2026-24122 in Sigstore Cosign

Vulnerability ID: CVE-2026-24122
CVSS Score: 3.7
Published: 2026-02-19

A temporal logic flaw in Sigstore Cosign's certificate validation allowed expired intermediate Certificate Authorities to validate signatures if the leaf certificate was issued before the parent's expiration. While low severity for the public Sigstore infrastructure due to ephemeral certificates, this flaw exposes private PKI deployments to 'Zombie Cert' attacks.

TL;DR

Cosign checked the validity of CA chains based on the leaf certificate's issuance time rather than the signature time. This allowed expired Intermediate CAs to validly sign artifacts, provided the leaf cert was created while the parent was still alive.

Technical Details

  • CWE ID: CWE-295
  • Attack Vector: Network
  • CVSS v3.1: 3.7 (Low)
  • Complexity: High
  • Privileges Required: None
  • Exploit Status: Theoretical / PoC

Affected Systems

  • sigstore/cosign < v3.0.5
  • Internal/Private Sigstore deployments using custom PKI
  • CI/CD pipelines relying on Cosign for artifact verification
  • sigstore/cosign: < 3.0.5 (Fixed in: 3.0.5)

Code Analysis

Commit: 3c9a736

Verify validity of chain rather than just certificate

x509.VerifyOptions{ CurrentTime: signatureTimestamp } // Replaces leaf.NotBefore
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: Theoretical exploit requiring specific PKI conditions (Intermediate expiring before Leaf).

Mitigation Strategies

  • Upgrade Cosign to v3.0.5 immediately.
  • Rebuild any internal tooling that imports github.com/sigstore/cosign as a library.
  • Audit internal PKI to ensure Intermediate CAs do not have expiration dates that fall within the validity period of their issued leaf certificates.

Remediation Steps:

  1. Download the latest release binary from the Sigstore GitHub releases page.
  2. Verify the binary checksum.
  3. Replace the existing cosign binary in your CI/CD pipelines.
  4. If using as a Go library: update go.mod to require github.com/sigstore/cosign/v2 v2.4.0 (or v3.0.5 equivalent) and run go mod tidy.

References

Read the full report for CVE-2026-24122 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)