Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Verifier ingests remote event log so AV:N/PR:N/UI:N; crafting a valid EFI_SIGNATURE_LIST that survives parsing raises AC:H; only integrity of attestation decisions is impacted.
Primary rating from Vendor (Google).
CVSS VectorVendor: Google
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256 hashes into the verifier's trusted measurement database, enabling a remote attestation verifier to accept a compromised boot state. This issue affects go-attestation: through 0.6.0.
AnalysisAI
Trusted measurement-list poisoning in Google go-attestation through 0.6.0 lets a remote actor who controls a TPM event log fed to an attestation verifier inject arbitrary SHA256 hashes into the verifier's trusted hash database. Because parseEfiSignatureList() never advances past the EFI_SIGNATURE_LIST SignatureHeaderSize vendor bytes, those attacker-chosen bytes are accepted as legitimate hash entries, allowing a compromised boot state to be attested as healthy. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a service consume go-attestation (through 0.6.0) as a remote attestation verifier and parse an EFI_SIGNATURE_LIST structure - typically delivered inside a TCG TPM event log - that originates from a host the attacker controls or can tamper with in transit; the malicious list must specify hashSHA256SigGUID as its SignatureType and a non-zero SignatureHeaderSize whose vendor bytes encode the attacker-chosen 16-byte GUID and 32-byte SHA256 hash. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk depends heavily on deployment: in any architecture where a verifier accepts attestation evidence from an untrusted or remote endpoint (the canonical use case for this library), the published CVSS:4.0 vector AV:N/AC:H/AT:N/PR:N/UI:N with VI:H and SI:H is realistic - there is no authentication or user interaction, but crafting a valid EFI_SIGNATURE_LIST that survives surrounding parsers raises complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker controlling a target endpoint (or a man-in-the-middle on the attestation channel) crafts a TPM event log containing an EFI_SIGNATURE_LIST whose SignatureHeader vendor region encodes a fake 16-byte GUID followed by the SHA256 hash of the attacker's tampered bootloader. When the verifier built on go-attestation parses that list, the vendor bytes are interpreted as the first signature entry, the tampered hash is added to the trusted measurement database, and the verifier subsequently accepts the compromised boot state as legitimate. … |
| Remediation | Upstream fix available in go-attestation v0.6.1 (https://github.com/google/go-attestation/releases/tag/v0.6.1) via commit b6e905e7ae52937f02b5ca494dd1c6a3ac7a1003, which adds a bound check rejecting SignatureHeaderSize values that meet or exceed the remaining list space and seeks past SignatureHeaderSize vendor bytes before both the certificate and hash entry loops; update go.mod to require at least v0.6.1 and rebuild and redeploy any verifier services. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit inventory of all systems and services using go-attestation library, identify which are at v0.6.0 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38641