Description
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
Published: 2026-01-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Rekor, a supply‑chain transparency log, suffers from a nil pointer dereference when canonicalizing a COSE v0.0.1 entry that has an empty spec.message field. If an attacker submits such a malformed entry, the validate() function returns success without initializing sign1Msg, and later Canonicalize() dereferences the uninitialized payload, causing a panic. The panic is caught, a 500 error is returned to the client, and the service continues to run, so the main impact observed is a brief denial‑of‑service for that request.

Affected Systems

The flaw affects all sigstore:rekor installations using version 1.4.3 or earlier. It is fixed in version 1.5.0. Any deployment of Rekor that accepts externally constructed COSE entries is potentially exposed.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3 indicating medium severity. The EPSS score is < 1%, indicating a very low likelihood of exploitation. Rekor is exposed over the network through its entry ingestion APIs. The likely attack vector is an attacker submitting a malicious COSE v0.0.1 entry with an empty spec.message field by means of an unauthenticated HTTP request if the endpoint permits such submissions; this inference is based on the description of the API exposure and lack of authentication constraints. The exploit would trigger a panic that is recovered, causing a 500 error for that specific request, and the overall service remains available, so the impact is limited to a single request and does not provide persistence or broader compromise.

Generated by OpenCVE AI on April 18, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Rekor v1.5.0 or later where the issue is fixed.
  • Limit who can submit entries to Rekor and validate that spec.message is not empty before forwarding them.
  • Monitor application logs for panic or 500 responses and alert on repeated failures.

Generated by OpenCVE AI on April 18, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-273p-m2cw-6833 Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message
History

Mon, 02 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation rekor
CPEs cpe:2.3:a:linuxfoundation:rekor:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation rekor

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Sigstore
Sigstore rekor
Vendors & Products Sigstore
Sigstore rekor

Fri, 23 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
Title Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Linuxfoundation Rekor
Sigstore Rekor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-23T14:32:43.078Z

Reserved: 2026-01-16T15:46:40.841Z

Link: CVE-2026-23831

cve-icon Vulnrichment

Updated: 2026-01-23T14:32:39.987Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:19.523

Modified: 2026-02-02T15:06:43.427

Link: CVE-2026-23831

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-22T21:26:22Z

Links: CVE-2026-23831 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses