Idx Validation Flaw in go-attestation 0.6.0 Allows to Inject SHA256 Hashes: CVE-2026-12681 June 2026

Idx Validation Flaw in go-attestation 0.6.0 Allows to Inject SHA256 Hashes
CVE-2026-12681 Published on June 24, 2026

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256 hashes into the verifier's trusted measurement database, enabling a remote attestation verifier to accept a compromised boot state. This issue affects go-attestation: through 0.6.0.

Weakness Type

Improper Validation of Specified Index, Position, or Offset in Input

The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

Affected Versions

Before and including 0.6.0 is affected.

Idx Validation Flaw in go-attestation 0.6.0 Allows to Inject SHA256 HashesCVE-2026-12681 Published on June 24, 2026

Weakness Type

Improper Validation of Specified Index, Position, or Offset in Input

Affected Versions

Idx Validation Flaw in go-attestation 0.6.0 Allows to Inject SHA256 Hashes
CVE-2026-12681 Published on June 24, 2026