Improper Certificate Validation Affecting slsa-verifier package, versions <2.7.1-r23


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.2% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-SLSAVERIFIER-17802906
  • published3 Jul 2026
  • disclosed19 Feb 2026

Introduced: 19 Feb 2026

CVE-2026-24122  (opens in a new tab)
CWE-295  (opens in a new tab)

How to fix?

Upgrade Chainguard slsa-verifier to version 2.7.1-r23 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream slsa-verifier package and not the slsa-verifier package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.

CVSS Base Scores

version 3.1