CVE-2026-24122

Name of the Vulnerable Software and Affected Versions Cosign versions 3.0.4 and below

Description Cosign is a tool that provides code signing and transparency for containers and binaries. A flaw in the certificate validation process allows expired intermediate Certificate Authorities to validate signatures under certain conditions. Specifically, when verifying artifact signatures, Cosign initially verifies the certificate chain using the leaf certificate's "not before" timestamp and subsequently checks the leaf certificate's expiry using a signed timestamp or the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate’s validity. This can occur when an issuing certificate expires before the leaf certificate, but a provided timestamp indicates the issuing certificate should be considered expired. This issue does not affect users of the public Sigstore infrastructure but may impact private deployments with customized PKIs.

Recommendations Upgrade to version 3.0.5 or later. Verify the certificate chain independently as a workaround.