Index-Out-Of-Range Vulnerability in Gitsign's CertVerifier.Verify() Function
CVE-2026-44310

5.4MEDIUM

Key Information:

Vendor: Sigstore
Status: Gitsign
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-44310?

A vulnerability exists in Gitsign's CertVerifier.Verify() function, where it unconditionally dereferences the first certificate in a slice returned from sd.GetCertificates(). This flaw occurs in versions 0.4.0 through 0.14.9, allowing aCMS/PKCS7 signed message with an empty set of certificates to induce a panic due to an index-out-of-range access. The issue is compounded by the fact that the panic is silently handled, and a success exit code is returned, misleading verification callers to assume the operation succeeded. Users are encouraged to upgrade to version 0.15.0 or later to mitigate this issue.

Affected Version(s)

gitsign >= 0.4.0, < 0.15.0

References

https://github.com/sigstore/gitsign/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44310 Data

JSON

Sigstore

What is CVE-2026-44310?

Affected Version(s)

References

CVSS V3.1

Timeline