Security update for cosign
This update for cosign fixes the following issue - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types (bsc#1261859). Changes for cosign: - update to 3.0.6: * Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801) * Handle whitespace-only certificate annotation (#4760) * fix(sign): closing SignerVerifier too early when signing with a security key (#4761) * Disallow --new-bundle-format and --rfc3161-timestamp (#4762) * support managed keys in conformance testing (#4728) * Add support for GCE metadata server env var (#4732) * fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709) * Fix parsing of in-toto for string predicates * Mark batch of flags for deprecation (#4698) * disallow key and cert identity being used together during verification (#4636) * support key creation in GitLab group (#4704) - Set CGO_ENABLED=1 for fixing s390x failed build - build against a maintained golang version (upstream uses go1.20)
AI Analysis
Technical Summary
CVE-2026-39395 is a vulnerability in the cosign tool where attestation verification can be incorrect due to malformed payloads or mismatched predicate types. The issue is addressed in cosign version 3.0.6, which fixes the DSSE predicate check among other improvements. This vulnerability could lead to improper verification of attestations, potentially undermining trust in signed artifacts. The fix includes disallowing certain verification options and improving predicate parsing. The vendor advisory from SUSE Product Security Team confirms the update and remediation.
Potential Impact
The vulnerability allows incorrect attestation verification, which may result in accepting malformed or improperly verified attestations. This could undermine the security guarantees provided by cosign for signed artifacts, potentially allowing untrusted or malicious content to be accepted as valid. However, no known exploits in the wild have been reported.
Mitigation Recommendations
A security update to cosign version 3.0.6 is available that fixes the vulnerability. Users should upgrade to this version to remediate the issue. No additional mitigation steps are indicated by the vendor advisory.
Security update for cosign
Description
This update for cosign fixes the following issue - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types (bsc#1261859). Changes for cosign: - update to 3.0.6: * Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801) * Handle whitespace-only certificate annotation (#4760) * fix(sign): closing SignerVerifier too early when signing with a security key (#4761) * Disallow --new-bundle-format and --rfc3161-timestamp (#4762) * support managed keys in conformance testing (#4728) * Add support for GCE metadata server env var (#4732) * fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709) * Fix parsing of in-toto for string predicates * Mark batch of flags for deprecation (#4698) * disallow key and cert identity being used together during verification (#4636) * support key creation in GitLab group (#4704) - Set CGO_ENABLED=1 for fixing s390x failed build - build against a maintained golang version (upstream uses go1.20)
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-39395 is a vulnerability in the cosign tool where attestation verification can be incorrect due to malformed payloads or mismatched predicate types. The issue is addressed in cosign version 3.0.6, which fixes the DSSE predicate check among other improvements. This vulnerability could lead to improper verification of attestations, potentially undermining trust in signed artifacts. The fix includes disallowing certain verification options and improving predicate parsing. The vendor advisory from SUSE Product Security Team confirms the update and remediation.
Potential Impact
The vulnerability allows incorrect attestation verification, which may result in accepting malformed or improperly verified attestations. This could undermine the security guarantees provided by cosign for signed artifacts, potentially allowing untrusted or malicious content to be accepted as valid. However, no known exploits in the wild have been reported.
Mitigation Recommendations
A security update to cosign version 3.0.6 is available that fixes the vulnerability. Users should upgrade to this version to remediate the issue. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- SUSE Product Security Team
- Advisory Id
- SUSE-SU-2026:2365-1
- Cve Count
- 1
- Additional Cves
- []
- Cvss Version
- null
Threat ID: 6a2bea18e617e2d8345899b0
Added to database: 6/12/2026, 11:14:32 AM
Last enriched: 6/12/2026, 11:16:38 AM
Last updated: 6/12/2026, 12:20:08 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.