—
GO-2026-5298
Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() in github.com/google/go-attestation
Details
Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() in github.com/google/go-attestation
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/google/go-attestation
Introduced in:
0 No fixed version published yet for github.com/google/go-attestation (go modules). Pin to a known-safe version or switch to an alternative.
References
- https://github.com/google/go-attestation/security/advisories/GHSA-9r4w-jg96-92mv [ADVISORY]
- https://github.com/google/go-attestation/commit/b6e905e7ae52937f02b5ca494dd1c6a3ac7a1003 [FIX]
- https://github.com/google/go-attestation/pull/502 [FIX]
- https://github.com/google/go-attestation/releases/tag/v0.6.0 [WEB]