PT-2026-30011 · Go Jose+2 · Go-Jose+2

Published

2026-04-03

·

Updated

2026-05-26

·

CVE-2026-34986

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Go JOSE versions prior to 4.1.4 and versions prior to 3.0.5
Description Go JOSE, an implementation of the Javascript Object Signing and Encryption standards in Go, is susceptible to a denial of service. When decrypting a JSON Web Encryption (JWE) object, a panic occurs if the alg field indicates a key wrapping algorithm (ending in KW, excluding A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted key field is empty. This panic arises from cipher.KeyUnwrap() in key wrap.go attempting to allocate a slice with an invalid length. The issue is triggered through ParseEncrypted(), ParseEncryptedJSON(), or ParseEncryptedCompact() followed by Decrypt(). The vulnerability can also be reached by directly calling cipher.KeyUnwrap() with a ciphertext parameter less than 16 bytes long.
Recommendations Update to Go JOSE version 4.1.4 or 3.0.5 to resolve this issue.

Fix

DoS

Weakness Enumeration

CWE-248

Related Identifiers

ALSA-2026:10135
ALSA-2026:19017
ALSA-2026:19135
ALSA-2026:19173
ALSA-2026:19186
ALSA-2026:19353
CLEANSTART-2026-AP92343
CLEANSTART-2026-AP95632
CLEANSTART-2026-AQ65185
CLEANSTART-2026-BB83999
CLEANSTART-2026-BD19566
CLEANSTART-2026-BN28456
CLEANSTART-2026-BU65096
CLEANSTART-2026-CB00984
CLEANSTART-2026-CC08450
CLEANSTART-2026-CI59834
CLEANSTART-2026-CN84623
CLEANSTART-2026-CR00119
CLEANSTART-2026-CY26398
CLEANSTART-2026-CZ07385
CLEANSTART-2026-DM19620
CLEANSTART-2026-DW32113
CLEANSTART-2026-EP10142
CLEANSTART-2026-ET12387
CLEANSTART-2026-FA95643
CLEANSTART-2026-FB07695
CLEANSTART-2026-FH54780
CLEANSTART-2026-FK30234
CLEANSTART-2026-FR97108
CLEANSTART-2026-FU04414
CLEANSTART-2026-FV86809
CLEANSTART-2026-GB46352
CLEANSTART-2026-GG06672
CLEANSTART-2026-GN78570
CLEANSTART-2026-GY48351
CLEANSTART-2026-HC15345
CLEANSTART-2026-HF07497
CLEANSTART-2026-HK01840
CLEANSTART-2026-HQ88036
CLEANSTART-2026-HU33730
CLEANSTART-2026-IS19112
CLEANSTART-2026-JG72006
CLEANSTART-2026-JK52519
CLEANSTART-2026-KC83705
CLEANSTART-2026-KJ58915
CLEANSTART-2026-KT28044
CLEANSTART-2026-LO63022
CLEANSTART-2026-LR89498
CLEANSTART-2026-LT10352
CLEANSTART-2026-LU21824
CLEANSTART-2026-MI12470
CLEANSTART-2026-MW66533
CLEANSTART-2026-NB83265
CLEANSTART-2026-NR54556
CLEANSTART-2026-NS33477
CLEANSTART-2026-OF37807
CLEANSTART-2026-OH72236
CLEANSTART-2026-OU18540
CLEANSTART-2026-PB32291
CLEANSTART-2026-PM06830
CLEANSTART-2026-PY36202
CLEANSTART-2026-QO29688
CLEANSTART-2026-QP84300
CLEANSTART-2026-QS87161
CLEANSTART-2026-SA98061
CLEANSTART-2026-SO13464
CLEANSTART-2026-TN07413
CLEANSTART-2026-TT42218
CLEANSTART-2026-UG89030
CLEANSTART-2026-UW08576
CLEANSTART-2026-UX07516
CLEANSTART-2026-UZ17701
CLEANSTART-2026-VB45003
CLEANSTART-2026-VT65447
CLEANSTART-2026-WA84208
CLEANSTART-2026-WB89098
CLEANSTART-2026-WL14185
CVE-2026-34986
GHSA-78H2-9FRX-2JM8
GO-2026-4945
OPENSUSE-SU-2026:10529-1
OPENSUSE-SU-2026:10577-1
OPENSUSE-SU-2026:10613-1
OPENSUSE-SU-2026:10630-1
OPENSUSE-SU-2026:10631-1
OPENSUSE-SU-2026:10651-1
OPENSUSE-SU-2026:10654-1
OPENSUSE-SU-2026:10655-1
OPENSUSE-SU-2026:10677-1
OPENSUSE-SU-2026:10697-1
OPENSUSE-SU-2026:10698-1
OPENSUSE-SU-2026:10700-1
OPENSUSE-SU-2026:10702-1
OPENSUSE-SU-2026:10712-1
OPENSUSE-SU-2026:10744-1
RHSA-2026:10135
RHSA-2026:16696
RHSA-2026:17040
RHSA-2026:17287
RHSA-2026:19173
RHSA-2026:19186

Affected Products

Go-Jose
Red Os
Rocky Linux