CVE-2026-34986

high

Description

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34986.json

https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants

https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8

https://bugzilla.redhat.com/show_bug.cgi?id=2455470

https://access.redhat.com/security/cve/CVE-2026-34986

https://access.redhat.com/errata/RHSA-2026:9453

https://access.redhat.com/errata/RHSA-2026:9448

https://access.redhat.com/errata/RHSA-2026:9388

https://access.redhat.com/errata/RHSA-2026:9385

https://access.redhat.com/errata/RHSA-2026:8493

https://access.redhat.com/errata/RHSA-2026:8491

https://access.redhat.com/errata/RHSA-2026:8490

https://access.redhat.com/errata/RHSA-2026:35833

https://access.redhat.com/errata/RHSA-2026:34794

https://access.redhat.com/errata/RHSA-2026:34364

https://access.redhat.com/errata/RHSA-2026:34197

https://access.redhat.com/errata/RHSA-2026:34196

https://access.redhat.com/errata/RHSA-2026:34192

https://access.redhat.com/errata/RHSA-2026:33722

https://access.redhat.com/errata/RHSA-2026:32991

https://access.redhat.com/errata/RHSA-2026:30650

https://access.redhat.com/errata/RHSA-2026:29854

https://access.redhat.com/errata/RHSA-2026:28198

https://access.redhat.com/errata/RHSA-2026:27856

https://access.redhat.com/errata/RHSA-2026:27063

https://access.redhat.com/errata/RHSA-2026:27044

https://access.redhat.com/errata/RHSA-2026:27004

https://access.redhat.com/errata/RHSA-2026:27001

https://access.redhat.com/errata/RHSA-2026:26636

https://access.redhat.com/errata/RHSA-2026:26585

https://access.redhat.com/errata/RHSA-2026:26568

https://access.redhat.com/errata/RHSA-2026:26054

https://access.redhat.com/errata/RHSA-2026:25252

https://access.redhat.com/errata/RHSA-2026:25250

https://access.redhat.com/errata/RHSA-2026:25248

https://access.redhat.com/errata/RHSA-2026:25206

https://access.redhat.com/errata/RHSA-2026:25194

https://access.redhat.com/errata/RHSA-2026:25187

https://access.redhat.com/errata/RHSA-2026:25127

https://access.redhat.com/errata/RHSA-2026:24977

https://access.redhat.com/errata/RHSA-2026:24853

https://access.redhat.com/errata/RHSA-2026:24484

https://access.redhat.com/errata/RHSA-2026:24482

https://access.redhat.com/errata/RHSA-2026:24479

https://access.redhat.com/errata/RHSA-2026:24477

https://access.redhat.com/errata/RHSA-2026:24475

https://access.redhat.com/errata/RHSA-2026:24471

https://access.redhat.com/errata/RHSA-2026:23361

https://access.redhat.com/errata/RHSA-2026:23345

https://access.redhat.com/errata/RHSA-2026:23241

https://access.redhat.com/errata/RHSA-2026:23228

https://access.redhat.com/errata/RHSA-2026:22937

https://access.redhat.com/errata/RHSA-2026:22840

https://access.redhat.com/errata/RHSA-2026:22714

https://access.redhat.com/errata/RHSA-2026:22629

https://access.redhat.com/errata/RHSA-2026:22465

https://access.redhat.com/errata/RHSA-2026:22450

https://access.redhat.com/errata/RHSA-2026:22423

https://access.redhat.com/errata/RHSA-2026:22347

https://access.redhat.com/errata/RHSA-2026:22260

https://access.redhat.com/errata/RHSA-2026:22258

https://access.redhat.com/errata/RHSA-2026:21932

https://access.redhat.com/errata/RHSA-2026:21931

https://access.redhat.com/errata/RHSA-2026:21769

https://access.redhat.com/errata/RHSA-2026:21709

https://access.redhat.com/errata/RHSA-2026:21703

https://access.redhat.com/errata/RHSA-2026:21017

https://access.redhat.com/errata/RHSA-2026:20946

https://access.redhat.com/errata/RHSA-2026:20609

https://access.redhat.com/errata/RHSA-2026:20607

https://access.redhat.com/errata/RHSA-2026:20569

https://access.redhat.com/errata/RHSA-2026:20041

https://access.redhat.com/errata/RHSA-2026:20034

https://access.redhat.com/errata/RHSA-2026:19721

https://access.redhat.com/errata/RHSA-2026:19720

https://access.redhat.com/errata/RHSA-2026:19719

https://access.redhat.com/errata/RHSA-2026:19712

https://access.redhat.com/errata/RHSA-2026:19375

https://access.redhat.com/errata/RHSA-2026:19353

https://access.redhat.com/errata/RHSA-2026:19186

https://access.redhat.com/errata/RHSA-2026:19173

https://access.redhat.com/errata/RHSA-2026:19135

https://access.redhat.com/errata/RHSA-2026:19108

https://access.redhat.com/errata/RHSA-2026:19099

https://access.redhat.com/errata/RHSA-2026:19017

https://access.redhat.com/errata/RHSA-2026:18585

https://access.redhat.com/errata/RHSA-2026:18584

https://access.redhat.com/errata/RHSA-2026:17789

https://access.redhat.com/errata/RHSA-2026:17598

https://access.redhat.com/errata/RHSA-2026:17550

https://access.redhat.com/errata/RHSA-2026:17547

https://access.redhat.com/errata/RHSA-2026:17474

https://access.redhat.com/errata/RHSA-2026:17468

https://access.redhat.com/errata/RHSA-2026:17459

https://access.redhat.com/errata/RHSA-2026:17458

https://access.redhat.com/errata/RHSA-2026:17448

https://access.redhat.com/errata/RHSA-2026:17287

https://access.redhat.com/errata/RHSA-2026:17123

https://access.redhat.com/errata/RHSA-2026:17121

https://access.redhat.com/errata/RHSA-2026:17040

https://access.redhat.com/errata/RHSA-2026:16696

https://access.redhat.com/errata/RHSA-2026:13829

https://access.redhat.com/errata/RHSA-2026:13791

https://access.redhat.com/errata/RHSA-2026:12279

https://access.redhat.com/errata/RHSA-2026:12277

https://access.redhat.com/errata/RHSA-2026:12116

https://access.redhat.com/errata/RHSA-2026:11996

https://access.redhat.com/errata/RHSA-2026:11916

https://access.redhat.com/errata/RHSA-2026:11856

https://access.redhat.com/errata/RHSA-2026:11688

https://access.redhat.com/errata/RHSA-2026:11512

https://access.redhat.com/errata/RHSA-2026:11217

https://access.redhat.com/errata/RHSA-2026:11070

https://access.redhat.com/errata/RHSA-2026:10175

https://access.redhat.com/errata/RHSA-2026:10135

https://access.redhat.com/errata/RHSA-2026:10130

https://access.redhat.com/errata/RHSA-2026:10125

Details

Source: Mitre, NVD

Published: 2026-04-06

Updated: 2026-07-08

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.00015