GHSA-9r4w-jg96-92mv: Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

June 12, 2026

parseEfiSignatureList() in attest/internal/events.go does not skip SignatureHeaderSize vendor bytes before reading EFI_SIGNATURE_LIST signature entries, violating UEFI specification section 31.4.1.

References

github.com/advisories/GHSA-9r4w-jg96-92mv
github.com/google/go-attestation/commit/b6e905e7ae52937f02b5ca494dd1c6a3ac7a1003
github.com/google/go-attestation/pull/502
github.com/google/go-attestation/releases/tag/v0.6.0
github.com/google/go-attestation/security/advisories/GHSA-9r4w-jg96-92mv

Code Behaviors & Features

Detect and mitigate GHSA-9r4w-jg96-92mv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →