Main Vulnerability Database SB20260425221

SB20260425221 - Anolis OS update for cosign

Published: April 25, 2026

Security Bulletin ID SB20260425221

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Certificate Validation (CVE-ID: CVE-2026-24122)

The vulnerability allows a remote attacker to bypass signature verification integrity checks.

The vulnerability exists due to improper certificate validation in certificate chain verification when verifying artifact signatures using certificates with signed timestamps. A remote attacker can present a certificate chain in which an issuing certificate expires before the leaf certificate to bypass signature verification integrity checks.

This affects private deployments with customized PKIs and is unlikely to occur in practice because certification authorities should not issue certificates that outlive the validity of their issuing certificates.

Remediation

Install update from vendor's website.

References

https://anas.openanolis.cn/errata/detail/ANSA-2026:0255