Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-r5yf-qtqg-93cs
Vulnerability ID VCID-r5yf-qtqg-93cs
Aliases CVE-2026-34986
GHSA-78h2-9frx-2jm8
Summary Go JOSE Panics in JWE decryption ### Impact Decrypting a JSON Web Encryption (JWE) object will panic if the `alg` field indicates a key wrapping algorithm ([one ending in `KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants), with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the `encrypted_key` field is empty. The panic happens when `cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slice with a zero or negative length based on the length of the `encrypted_key`. This code path is reachable from `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` followed by `Decrypt()` on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling `cipher.KeyUnwrap()` directly with any `ciphertext` parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. ### Fixed In 4.1.4 and v3.0.5 ### Workarounds If the list of `keyAlgorithms` passed to `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` does not include key wrapping algorithms (those ending in `KW`), your application is unaffected. If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the `encrypted_key` field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second `.`). ### Thanks Go JOSE thanks Datadog's Security team for finding this issue.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-248 Uncaught Exception
CWE-131 Incorrect Calculation of Buffer Size
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34986.json
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34986
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.5 https://github.com/go-jose/go-jose
generic_textual HIGH https://github.com/go-jose/go-jose
cvssv3.1 7.5 https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
generic_textual HIGH https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
ssvc Track https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-34986
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-34986
cvssv3.1 7.5 https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants
generic_textual HIGH https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants
ssvc Track https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34986.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34986
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34986
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/go-jose/go-jose
https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
https://nvd.nist.gov/vuln/detail/CVE-2026-34986
https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants
2455470 https://bugzilla.redhat.com/show_bug.cgi?id=2455470
RHSA-2026:10125 https://access.redhat.com/errata/RHSA-2026:10125
RHSA-2026:10130 https://access.redhat.com/errata/RHSA-2026:10130
RHSA-2026:10135 https://access.redhat.com/errata/RHSA-2026:10135
RHSA-2026:10175 https://access.redhat.com/errata/RHSA-2026:10175
RHSA-2026:11070 https://access.redhat.com/errata/RHSA-2026:11070
RHSA-2026:11217 https://access.redhat.com/errata/RHSA-2026:11217
RHSA-2026:11512 https://access.redhat.com/errata/RHSA-2026:11512
RHSA-2026:11688 https://access.redhat.com/errata/RHSA-2026:11688
RHSA-2026:11856 https://access.redhat.com/errata/RHSA-2026:11856
RHSA-2026:11916 https://access.redhat.com/errata/RHSA-2026:11916
RHSA-2026:11996 https://access.redhat.com/errata/RHSA-2026:11996
RHSA-2026:12116 https://access.redhat.com/errata/RHSA-2026:12116
RHSA-2026:12277 https://access.redhat.com/errata/RHSA-2026:12277
RHSA-2026:12279 https://access.redhat.com/errata/RHSA-2026:12279
RHSA-2026:8490 https://access.redhat.com/errata/RHSA-2026:8490
RHSA-2026:8491 https://access.redhat.com/errata/RHSA-2026:8491
RHSA-2026:8493 https://access.redhat.com/errata/RHSA-2026:8493
RHSA-2026:9385 https://access.redhat.com/errata/RHSA-2026:9385
RHSA-2026:9388 https://access.redhat.com/errata/RHSA-2026:9388
RHSA-2026:9448 https://access.redhat.com/errata/RHSA-2026:9448
RHSA-2026:9453 https://access.redhat.com/errata/RHSA-2026:9453
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34986.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/go-jose/go-jose
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:21:42Z/ Found at https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34986
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:21:42Z/ Found at https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants
Exploit Prediction Scoring System (EPSS)
Percentile 0.03001
EPSS Score 0.00015
Published At April 7, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T21:42:25.877179+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-78h2-9frx-2jm8/GHSA-78h2-9frx-2jm8.json 38.1.0