CVE-2026-12681

Publication date 24 June 2026

Last updated 26 June 2026

Ubuntu priority

Description

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256 hashes into the verifier's trusted measurement database, enabling a remote attestation verifier to accept a compromised boot state. This issue affects go-attestation: through 0.6.0.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
golang-github-google-go-attestation	26.04 LTS resolute	Needs evaluation
	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release

Severity score breakdown

CVSS version: CVSS v4.0

Base score 8.9 · High

Base metrics

Parameter	Value
Attack vector	Network
Attack complexity	High
Attack requirements	None
Privileges required	None
User interaction	None
Vulnerable system - Confidentiality impact	None
Vulnerable system - Integrity impact	High
Vulnerable system - Availability impact	None
Subsequent system - Confidentiality impact	None
Subsequent system - Integrity impact	High
Subsequent system - Availability impact	None

Scores

Parameter	Value
Base score	8.9 · High
Base + Threat score	-
Base + Environmental score	-
Base + Threat + Environmental score	-

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

CVE-2026-12681

Description

Status

Severity score breakdown

References

Other references

Access our resources on patching vulnerabilities