## Security Patch: go-jose/v3 Library Fixes Critical Panic Vulnerability in JWE Decryption (CVE-2026-34986) A critical security vulnerability in the widely-used Go cryptography library `go-jose/go-jose/v3` has been patched, addressing a flaw that could cause applications to crash when processing malformed encrypted data. The vulnerability, tracked as CVE-2026-34986, is triggered during the decryption of a JSON Web Encryption (JWE) object. Specifically, the library will panic—causing a program crash—if the JWE's algorithm (`alg`) field specifies a key-wrapping algorithm (those ending in `KW`, except for `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the `encrypted_key` field is empty. This panic occurs in the `cipher.KeyUnwrap()` function within `key_wrap.go` when it attempts to allocate memory based on an invalid, zero-length input. The patch, released as version v3.0.5, is a direct update from v3.0.4. The issue was identified and addressed by the library's maintainers, with the fix now available via GitHub. The update is marked as a security patch, and the associated pull request includes a link to the official OpenSSF security scorecard for the project, providing transparency into its security posture. This is not a remote code execution flaw, but a denial-of-service vector where a maliciously crafted JWE payload could crash any service relying on this library for decryption. For developers and organizations, this vulnerability represents a tangible stability risk. Any Go application that uses the `go-jose/go-jose/v3` module as an indirect dependency for handling JWE tokens is potentially affected. The immediate implication is service disruption; an attacker could send a specially crafted token to trigger a panic and bring down an endpoint. The fix is straightforward: updating the dependency to v3.0.5. Given the library's role in security-critical operations like token validation and data decryption, this patch should be treated as high priority to prevent unexpected outages and maintain system integrity. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: security, vulnerability, go, cryptography, library - **Credibility**: unverified - **Published**: 2026-04-04 21:26:56 - **ID**: 50198 - **URL**: https://whisperx.ai/en/intel/50198