CVE Catalog

CVE-2026-12681

HighCVSS 8.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

In a vulnerability in Google go-attestation, the parseEfiSignatureList() function improperly validates indices, allowing attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. This could lead to a remote attestation verifier accepting a compromised boot state.

Risk Assessment

The organization may be exposed to the acceptance of malicious boot states, potentially leading to serious security breaches.

Recommendation

It is recommended to update go-attestation to version 0.6.1 or later to mitigate this vulnerability.

Original NVD description (English source)

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256 hashes into the verifier's trusted measurement database, enabling a remote attestation verifier to accept a compromised boot state. This issue affects go-attestation: through 0.6.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS