CVE-2026-12681
HighCVSS 8.9Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
In a vulnerability in Google go-attestation, the parseEfiSignatureList() function improperly validates indices, allowing attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. This could lead to a remote attestation verifier accepting a compromised boot state.
Risk Assessment
The organization may be exposed to the acceptance of malicious boot states, potentially leading to serious security breaches.
Recommendation
It is recommended to update go-attestation to version 0.6.1 or later to mitigate this vulnerability.
Original NVD description (English source)
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256 hashes into the verifier's trusted measurement database, enabling a remote attestation verifier to accept a compromised boot state. This issue affects go-attestation: through 0.6.0.

