## High-Severity Vulnerability CVE-2026-34986: go-jose Library Panic on Malformed JWE Decryption
A high-severity vulnerability in the widely-used `go-jose` library can cause a runtime panic when decrypting maliciously crafted JSON Web Encryption (JWE) objects. The flaw, tracked as CVE-2026-34986, is triggered when a JWE object specifies a key wrapping algorithm (those ending in `KW`, except for `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) but contains an empty `encrypted_key` field. This condition leads the `cipher.KeyUnwrap()` function to attempt allocating a slice with a zero or negative length, crashing the application.

The primary attack vector is through the library's public parsing and decryption APIs. An application becomes vulnerable when it calls `ParseEncrypted()`, `ParseEncryptedJSON()`, or `ParseEncryptedCompact()` followed by `Decrypt()` on the resulting object, *and* its list of accepted key algorithms includes the problematic key-wrapping algorithms. If an application's accepted algorithms exclude these wrapping methods, parsing will fail safely, preventing exploitation. The underlying `cipher.KeyUnwrap()` function is also directly vulnerable to any `ciphertext` parameter shorter than 16 bytes.

This vulnerability presents a clear denial-of-service risk for any service using the affected `go-jose` versions to process untrusted JWE tokens. Developers must verify their accepted algorithm lists and apply the forthcoming patch. The issue underscores the critical need for robust input validation in cryptographic libraries, especially in parsers handling complex, nested formats like JWE, where a single malformed field can destabilize an entire service.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, cryptography, go, denial-of-service, CVE-2026-34986
- **Credibility**: unverified
- **Published**: 2026-04-05 21:27:06
- **ID**: 50774
- **URL**: https://whisperx.ai/en/intel/50774