CVE-2026-22696: dcap-qvl has Missing Verification for QE Identity

January 26, 2026 (updated January 29, 2026)

This vulnerability involves a critical gap in the cryptographic verification process within the dcap-qvl.

The library fetches QE Identity collateral (including qe_identity, qe_identity_signature, and qe_identity_issuer_chain) from the PCCS. However, it skips to verify the QE Identity signature against its certificate chain and does not enforce policy constraints on the QE Report.

References

github.com/Phala-Network/dcap-qvl
github.com/Phala-Network/dcap-qvl/security/advisories/GHSA-796p-j2gh-9m2q
github.com/advisories/GHSA-796p-j2gh-9m2q
nvd.nist.gov/vuln/detail/CVE-2026-22696

Code Behaviors & Features

Detect and mitigate CVE-2026-22696 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →