Input Validation Flaw in Google go-attestation Affects Secure Boot Process
CVE-2026-12681

8.9HIGH

Key Information:

Vendor: Google
Status: Go-attestation
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-12681?

A vulnerability in Google go-attestation arises from improper validation of an input index in the parseEfiSignatureList() function. The flaw allows an attacker to manipulate vendor bytes in the buffer, potentially appending harmful entries into a trusted SHA256 hash list. This manipulation can lead to a crafted TPM event log that injects arbitrary SHA256 hashes into the verifier's trusted measurement database. Consequently, remote attestation verifiers may incorrectly accept a compromised boot state as secure. This affects go-attestation versions up to 0.6.0, highlighting the importance of timely updates for maintaining secure remote attestation processes.

Affected Version(s)

go-attestation 0 <= 0.6.0

References

https://github.com/google/go-attestation/security/advisor...

https://github.com/google/go-attestation/commit/b6e905e7a...

https://github.com/google/go-attestation/releases/tag/v0.6.1

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 19, 2026

Credit

https://github.com/prasanna8585

CVE-2026-12681 Data

JSON