Alpine: multiple cosign packages: security update to 2.6.3-r0

medium Tenable Cloud Security Plugin ID 441757

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and
3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry
does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign
verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from
either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry
contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious
actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by
including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event.
This issue has been patched in versions 2.6.2 and 3.0.4. (CVE-2026-22703)

- Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3,
cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with
malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was
due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the
predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.
(CVE-2026-39395)

Solution

Update the cosign library and its related packages to version 2.6.3-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-22703

https://security.alpinelinux.org/vuln/CVE-2026-39395

Plugin Details

Severity: Medium

ID: 441757

Version: Revision 1.1

Type: Local

Published: 5/12/2026

Updated: 5/12/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-39395

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-22703

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/10/2026

Reference Information

CVE: CVE-2026-22703, CVE-2026-39395