The vulnerability CVE-2026-22696 affects the dcap-qvl library, a component used for verifying Intel SGX and TDX quotes via the Data Center Attestation Primitives (DCAP). The core issue lies in the improper verification of the Quoting Enclave (QE) Identity's cryptographic signature. Specifically, versions of dcap-qvl prior to 0.3.9 fetch QE Identity collateral from the Provisioning Certificate Caching Service (PCCS), including the QE Identity certificate, its signature, and the certificate chain, but fail to verify the QE Identity signature against the certificate chain. Additionally, the library does not enforce policy constraints on the QE Report, such as validating MRSIGNER, ISVPRODID, and ISVSVN fields. This flaw enables an attacker to forge QE Identity data, effectively whitelisting a malicious or non-Intel Quoting Enclave. Consequently, the attacker can generate forged quotes that the verifier will accept as valid, completely undermining the remote attestation security model. This model is critical for establishing trust in SGX/TDX enclaves by ensuring that only genuine, authorized enclaves can attest their integrity and identity. The vulnerability requires no privileges or user interaction to exploit and affects all systems using dcap-qvl for quote verification. The fix introduced in dcap-qvl version 0.3.9 implements the missing cryptographic verification of the QE Identity signature and enforces the necessary policy checks on the QE Report. Users of related packages such as @phala/dcap-qvl-node and @phala/dcap-qvl-web are advised to switch to the pure JavaScript implementation @phala/dcap-qvl and upgrade to the patched version. No workarounds are available, making timely patching essential.

For European organizations, this vulnerability poses a severe risk to the integrity and trustworthiness of systems relying on Intel SGX or TDX remote attestation mechanisms that use the dcap-qvl library. The ability to forge QE Identity data and produce accepted fake quotes allows attackers to bypass enclave trust boundaries, potentially enabling unauthorized code execution within supposedly secure enclaves, data leakage, or manipulation of sensitive computations. This undermines the confidentiality and integrity guarantees provided by SGX/TDX, which are often used in critical sectors such as finance, healthcare, telecommunications, and government services across Europe. The impact is particularly significant for cloud providers and enterprises deploying confidential computing solutions that rely on remote attestation to verify enclave authenticity. The lack of authentication or user interaction required for exploitation increases the attack surface and ease of exploitation. Failure to patch could lead to advanced persistent threats leveraging this flaw to compromise secure enclaves, resulting in data breaches, intellectual property theft, or disruption of secure services.

European organizations should immediately upgrade all deployments of the dcap-qvl library to version 0.3.9 or later to ensure proper cryptographic verification of QE Identity signatures and enforcement of QE Report policy constraints. Users of the @phala/dcap-qvl-node and @phala/dcap-qvl-web packages should migrate to the pure JavaScript implementation @phala/dcap-qvl and update to the patched version. It is critical to audit all systems using SGX or TDX quote verification to identify vulnerable versions of dcap-qvl. Since no workarounds exist, patching is the only effective mitigation. Organizations should also review their enclave attestation workflows and logs for any suspicious or anomalous quote verifications that might indicate exploitation attempts. Implementing network segmentation and strict access controls around provisioning and attestation services can reduce exposure. Additionally, monitoring for updates from Intel and Phala-Network regarding related components and applying security advisories promptly will help maintain a secure environment.