CVE-2026-34986 — Uncaught Exception in Go-jose

CWE-248 — Uncaught Exception CWE-131 — Incorrect Calculation of Buffer Size214 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 94.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-jose Github.com Go-jose Go-jose V3 Github.com Go-jose Go-jose V4 +1 more

Timeline

PublishedApr 6

Latest updateApr 16

Description

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.K…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5go-jose/go-jose< 3.0.5+1

▶Gogithub.com/go-jose_go-jose_v3< 3.0.5

▶Gogithub.com/go-jose_go-jose_v4< 4.1.4

▶Gogithub.com/go-jose_go-jose2.6.3

🔴Vulnerability Details

VulDB

go-jose up to 3.0.4/4.1.3 on JSON cipher.KeyUnwrap uncaught exception (Nessus ID 306612 / CNNVD-202604-991)↗2026-04-16

▶

OSV

CVE-2026-34986: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (↗2026-04-06

▶

CVEList

Go JOSE affect by a panic in JWE decryption↗2026-04-06

▶

OSV

Go JOSE Panics in JWE decryption↗2026-04-03

▶

GHSA

Go JOSE Panics in JWE decryption↗2026-04-03

▶

📋Vendor Advisories

Red Hat

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object↗2026-04-06

▶

Debian

CVE-2026-34986: golang-github-go-jose-go-jose - Go JOSE provides an implementation of the Javascript Object Signing and Encrypti...↗2026

▶

🕵️Threat Intelligence

157

Wiz

CVE-2026-25882 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-66630 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34379 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-28363 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-33758 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-34986 restic: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]↗2026-04-06

▶

Bugzilla

CVE-2026-34986 cri-o1.31: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]↗2026-04-06

▶

Bugzilla

CVE-2026-34986 prometheus-podman-exporter: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [epel-all]↗2026-04-06

▶

Bugzilla

CVE-2026-34986 inspektor-gadget: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]↗2026-04-06

▶

Bugzilla

CVE-2026-34986 opkssh: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [epel-all]↗2026-04-06

▶