Cosign is a tool within the sigstore project that provides code signing and transparency for container images and binaries, ensuring the integrity and provenance of software artifacts. In versions 3.0.4 and earlier, a certificate validation flaw exists related to the handling of certificate expiration times in the verification process. When verifying artifact signatures, cosign first validates the certificate chain using the leaf certificate's "not before" timestamp, then checks the leaf certificate's expiry using either a signed timestamp from the Rekor transparency log, a timestamp authority, or the current time. However, the root and issuing certificates are assumed valid throughout the leaf certificate's validity period without independently verifying their expiration status. This means if an issuing certificate expires before the leaf certificate, cosign still treats it as valid during verification, ignoring the actual expiration. This improper certificate validation corresponds to CWE-295 and can undermine the trust model of the signature verification process. The issue does not impact users relying on the public Sigstore infrastructure, which uses standard PKI and timestamping mechanisms, but it can affect private deployments that use customized PKI hierarchies. The vulnerability was assigned CVE-2026-24122 and has been resolved in cosign version 3.0.5. The CVSS v3.1 base score is 3.7, reflecting a low severity due to the network attack vector, high attack complexity, no privileges required, no user interaction, and limited impact on integrity without affecting confidentiality or availability. No known exploits have been reported in the wild.

The primary impact of this vulnerability is the potential for attackers to exploit the acceptance of expired issuing certificates in private cosign deployments, which could allow them to forge or reuse artifact signatures that should otherwise be considered invalid. This undermines the integrity of the software supply chain by allowing potentially malicious or outdated artifacts to be trusted erroneously. While the vulnerability does not affect the public Sigstore infrastructure, organizations running private PKI environments with cosign may face risks of signature spoofing or bypassing revocation checks. This could lead to the deployment of unauthorized or tampered container images or binaries, increasing the risk of supply chain attacks, malware distribution, or unauthorized code execution. However, the attack complexity is high, and exploitation requires control or compromise of the certificate issuance process or the ability to present expired issuing certificates. The confidentiality and availability of systems are not directly impacted, limiting the overall severity. Organizations relying heavily on private cosign deployments for critical software signing and verification processes are the most at risk.

Organizations using cosign in private deployments with customized PKIs should upgrade to version 3.0.5 or later immediately to ensure proper certificate expiration validation. Additionally, private PKI administrators should audit their certificate issuance and expiration policies to ensure issuing certificates do not expire before leaf certificates. Implement strict certificate lifecycle management and monitoring to detect and revoke expired or invalid certificates promptly. Employ additional verification layers such as external timestamp authorities or transparency logs to cross-validate certificate validity periods. Regularly review and test the signature verification process in private environments to detect anomalies related to certificate validation. Consider isolating private PKI environments and restricting access to certificate issuance to reduce the risk of malicious certificate creation. Finally, maintain awareness of updates from the sigstore project and apply security patches promptly.