Main Vulnerability Database Vulnerabilities #VU132043

Input validation error in go-attestation - #VU132043

Published: May 21, 2026

Vulnerability identifier: #VU132043

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
go-attestation

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the integrity of the trusted measurement database.

The vulnerability exists due to improper input validation in parseEfiSignatureList() in attest/internal/events.go when parsing a crafted TPM event log containing an EFI_SIGNATURE_LIST with vendor header bytes. A remote attacker can supply a specially crafted TPM event log to compromise the integrity of the trusted measurement database.

For hashSHA256SigGUID lists, vendor header bytes are interpreted as signature entries, which can cause arbitrary SHA256 hashes to be added to the verifier's trusted hash list.

Remediation

Install security update from vendor's website.

Sources

https://github.com/google/go-attestation/security/advisories/GHSA-9r4w-jg96-92mv

Input validation error in go-attestation - #VU132043

Detailed vulnerability description

Remediation

Sources

Please verify you're human