CVE-2026-12681: CWE-1285 Improper validation of specified index, position, or offset in input in Google go-attestation
CVE-2026-12681 is a high-severity vulnerability in Google go-attestation versions prior to 0.6.1. The flaw involves improper validation of an index or offset in the parseEfiSignatureList() function, which fails to correctly advance the buffer past vendor bytes before reading entries. This allows an attacker to append arbitrary SHA256 hashes to the trusted measurement database via a crafted TPM event log, potentially causing a remote attestation verifier to accept a compromised boot state.
AI Analysis
Technical Summary
The vulnerability in Google go-attestation (CVE-2026-12681) arises from improper validation of specified index, position, or offset in input within the parseEfiSignatureList() function. Specifically, the function does not advance the buffer past vendor bytes before processing entries. For hashSHA256SigGUID lists, this enables an attacker to inject attacker-controlled vendor header bytes appended to the trusted SHA256 hash list. Consequently, a crafted TPM event log can insert arbitrary SHA256 hashes into the verifier's trusted measurement database, allowing a remote attestation verifier to mistakenly accept a compromised boot state. This affects go-attestation versions prior to 0.6.1.
Potential Impact
An attacker can exploit this vulnerability to inject arbitrary SHA256 hashes into the trusted measurement database used by remote attestation verifiers. This can cause the verifier to accept a compromised boot state as trusted, undermining the integrity guarantees of the attestation process. The vulnerability has a high CVSS 4.0 score of 8.9, indicating significant potential impact on system trustworthiness and security.
Mitigation Recommendations
No official patch or remediation level has been published yet. The affected versions are all go-attestation releases prior to 0.6.1. Users should upgrade to version 0.6.1 or later once available. Until then, monitor the vendor advisory for updates and avoid relying on vulnerable versions for critical attestation tasks.
CVE-2026-12681: CWE-1285 Improper validation of specified index, position, or offset in input in Google go-attestation
Description
CVE-2026-12681 is a high-severity vulnerability in Google go-attestation versions prior to 0.6.1. The flaw involves improper validation of an index or offset in the parseEfiSignatureList() function, which fails to correctly advance the buffer past vendor bytes before reading entries. This allows an attacker to append arbitrary SHA256 hashes to the trusted measurement database via a crafted TPM event log, potentially causing a remote attestation verifier to accept a compromised boot state.
CVSS v4.0
Score 8.9high
Affected software
pkg:golang/github.com/google/go-attestationRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Google go-attestation (CVE-2026-12681) arises from improper validation of specified index, position, or offset in input within the parseEfiSignatureList() function. Specifically, the function does not advance the buffer past vendor bytes before processing entries. For hashSHA256SigGUID lists, this enables an attacker to inject attacker-controlled vendor header bytes appended to the trusted SHA256 hash list. Consequently, a crafted TPM event log can insert arbitrary SHA256 hashes into the verifier's trusted measurement database, allowing a remote attestation verifier to mistakenly accept a compromised boot state. This affects go-attestation versions prior to 0.6.1.
Potential Impact
An attacker can exploit this vulnerability to inject arbitrary SHA256 hashes into the trusted measurement database used by remote attestation verifiers. This can cause the verifier to accept a compromised boot state as trusted, undermining the integrity guarantees of the attestation process. The vulnerability has a high CVSS 4.0 score of 8.9, indicating significant potential impact on system trustworthiness and security.
Mitigation Recommendations
No official patch or remediation level has been published yet. The affected versions are all go-attestation releases prior to 0.6.1. Users should upgrade to version 0.6.1 or later once available. Until then, monitor the vendor advisory for updates and avoid relying on vulnerable versions for critical attestation tasks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Date Reserved
- 2026-06-19T05:49:21.869Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b3542eed863c81e0f35dc
Added to database: 06/24/2026, 01:39:14 UTC
Last enriched: 06/24/2026, 01:54:10 UTC
Last updated: 06/24/2026, 01:54:10 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.