Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42508.json
https://pkg.go.dev/vuln/GO-2026-5021
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://bugzilla.redhat.com/show_bug.cgi?id=2480688
https://access.redhat.com/security/cve/CVE-2026-42508
https://access.redhat.com/errata/RHSA-2026:35833
https://access.redhat.com/errata/RHSA-2026:26547
https://access.redhat.com/errata/RHSA-2026:26546