## Go JOSE Library Vulnerability CVE-2026-34986: High-Severity Panic in Key Wrapping Decryption A high-severity vulnerability (CVE-2026-34986) in the Go JOSE library can cause applications to panic and crash during decryption. The flaw resides in the library's handling of JSON Web Encryption (JWE) objects. Specifically, when decrypting a JWE object that uses a key wrapping algorithm (indicated by an 'alg' field ending in 'KW', except for A128GCMKW, A192GCMKW, and A256GCMKW) and contains an empty 'encrypted_key' field, the `cipher.KeyUnwrap()` function attempts to allocate a slice with a zero or negative length. This triggers a runtime panic. The vulnerability is exploitable via the standard parsing and decryption flow. An attacker can craft a malicious JWE object that, when processed by an application using a vulnerable version of Go JOSE, triggers the panic. The attack path is reachable when an application calls `ParseEncrypted()`, `ParseEncryptedJSON()`, or `ParseEncryptedCompact()` followed by `Decrypt()` on the resulting object. A critical mitigating factor is that the parse functions require a list of accepted key algorithms. If the application's configuration does not accept any key wrapping algorithms, parsing will fail, preventing exploitation. This means the impact is contingent on specific library usage. The vulnerability affects versions prior to 4.1.4 and 3.0.5. Developers must upgrade to these patched versions immediately to mitigate denial-of-service risks. The panic represents a reliable crash vector, making it a potent tool for disrupting services that rely on this library for cryptographic operations, particularly in authentication (JWT) or secure message-passing systems where JWE is employed. The fix addresses the improper handling of the empty key field, preventing the illegal memory allocation. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2026-34986, Go, Cryptography, Vulnerability, Denial-of-Service - **Credibility**: unverified - **Published**: 2026-04-09 09:27:07 - **ID**: 56559 - **URL**: https://whisperx.ai/en/intel/56559