sq-git (sequoia-git), Hard Revocation Handling Bypass, RUSTSEC-2026-0109 (Low Severity)

By /

Listen to this Post

How the CVE Works

The vulnerability lies in sq-git‘s commit authentication process, which relies on checking for hard revocations in a project’s signing policy. To optimize performance, `sq-git` maintains a cache of policies it has already validated, keyed by their hash. Due to a programming error, the calculated hash was truncated to zero bytes, effectively turning the cache into a single bucket. As a result, `sq-git` failed to re-evaluate policies that included recent hard revocations, only checking those present in the target commit itself.
Typically, hard revocations are permanent records within a signing policy and are never removed. However, an attacker can exploit this flaw in a multi-maintainer scenario. If a maintainer (Bob) has their certificate compromised and issues a hard revocation, another maintainer (Alice) adds it to the policy. An attacker with access to Bob’s key can then craft a merge request that strips this hard revocation from the commit history.
If Alice is deceived into merging this malicious request, the revocation is effectively erased from the project’s recent commit chain. Subsequently, `sq-git` will no longer detect the hard revocation, allowing the attacker to authenticate future commits that should have been blocked by the original revocation.

DailyCVE Form

Platform: sequoia-git
Version: <0.6.0
Vulnerability: Hard Revocation
Severity: Low
date: 2026-04-21

Prediction: 2026-05-04

What Undercode Say:

Check for the vulnerable version (<0.6.0)
cargo tree | grep sequoia-git
Verify the patched version is installed
cargo install sequoia-git --version 0.6.0

Exploit:

1. Gain access to compromised maintainer’s key.

2. Create merge request removing hard revocation.

3. Socially engineer merging of the request.

Protection from this CVE:

1. Upgrade to `sequoia-git` version 0.6.0 or later.

  1. Implement mandatory code review for all changes to signing policies.

Impact:

An attacker can permanently bypass hard revocations, enabling unauthorized commits to be authenticated and merged into a project’s history, undermining the integrity of the software supply chain.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top