Security Patch: go-jose/v4 Library Vulnerability (CVE-2026-34986) Exposes Panic Risk in JWE Decryption

A critical security vulnerability in the widely-used Go cryptography library `github.com/go-jose/go-jose/v4` has been patched. The flaw, tracked as CVE-2026-34986, can cause a runtime panic when decrypting certain malformed JSON Web Encryption (JWE) objects. This vulnerability is triggered in a specific but reachable code path, posing a denial-of-service risk to any service that processes untrusted JWE tokens using the affected library versions.

The vulnerability resides in the key unwrapping logic. When a JWE object uses a key wrapping algorithm (denoted by an `alg` field ending in `KW`, except for `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and contains an empty `encrypted_key` field, the `cipher.KeyUnwrap()` function in `key_wrap.go` attempts to allocate a slice with a zero or negative length. This illegal memory operation triggers a panic, crashing the Go process. The attack vector is accessible through the library's standard decryption API calls: `ParseEncrypted()`, `ParseEncryptedJSON()`, or `ParseEncryptedCompact()`, followed by `Decrypt()` on the resulting object.

The maintainers have released version v4.1.4 to address this issue. The patch ensures the library handles the empty `encrypted_key` case gracefully before the panic-inducing allocation occurs. This update is classified as a security patch, and all projects depending on `go-jose/v4` are urged to upgrade from v4.1.3 or earlier immediately. The impact is limited to a crash/panic scenario and does not indicate a data exposure or cryptographic bypass, but it represents a reliable vector for disrupting services that rely on this library for JWE processing.