Description
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256 hashes into the verifier's trusted measurement database, enabling a remote attestation verifier to accept a compromised boot state. This issue affects go-attestation: through 0.6.0.
Published: 2026-06-24
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can craft a TPM event log that exploits the failure of the Google go‑attestation library to advance past vendor header bytes in the parseEfiSignatureList function. Because the parser reads vendor bytes as part of a hash list, the attacker’s chosen bytes can be appended to the trusted SHA‑256 hash database. This flaw enables the injection of arbitrary SHA‑256 hashes, allowing a remote attestation verifier to accept a compromised boot state—a classic integrity breach classified as CWE‑1285.

Affected Systems

All users of the Google go‑attestation library through version 0.6.0 are affected. The vulnerability exists in the default parsing logic and does not require any additional configuration. Versions 0.6.1 and later include the vendor header validation fix and are not impacted.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity, and although the EPSS score is unavailable, the flaw’s potential to compromise the integrity of remote attestation systems makes it a significant risk. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a maliciously crafted TPM event log to an attestation verifier that processes untrusted or insufficiently validated logs; if used, the flaw could lead to successful integrity subversion of the boot process.

Generated by OpenCVE AI on June 24, 2026 at 09:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to go‑attestation version 0.6.1 or later, which implements proper vendor header validation.
  • Configure the TPM event log verifier to accept logs only from trusted, authenticated sources, reducing the attack surface.
  • Add application‑level checks to ensure vendor header bytes are within expected bounds and offsets are validated before signature list processing.

Generated by OpenCVE AI on June 24, 2026 at 09:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Title Vendor Header Validation Failure Allows Trusted Hash Injection in TPM Event Logs

Wed, 24 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Title Vendor Header Validation Failure Allows Trusted Hash Injection in TPM Event Logs

Wed, 24 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google go-attestation
Vendors & Products Google
Google go-attestation

Wed, 24 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Description Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256 hashes into the verifier's trusted measurement database, enabling a remote attestation verifier to accept a compromised boot state. This issue affects go-attestation: through 0.6.0.
Weaknesses CWE-1285
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}


Subscriptions

Google Go-attestation
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-06-24T12:57:35.436Z

Reserved: 2026-06-19T05:49:21.869Z

Link: CVE-2026-12681

cve-icon Vulnrichment

Updated: 2026-06-24T12:57:30.907Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:30:06Z

Weaknesses
  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input