cvedb.io
CVE-2026-33697
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-27T00:16:23.133 · Last modified 2026-06-17T10:37:56.487

Summary

Cocos AI is a confidential computing system for AI. The current implementation of attested TLS (aTLS) in CoCoS is vulnerable to a relay attack affecting all versions from v0.4.0 through v0.8.2. This vulnerability is present in both the AMD SEV-SNP and Intel TDX deployment targets supported by CoCoS. In the affected design, an attacker may be able to extract the ephemeral TLS private key used during the intra-handshake attestation. Because the attestation evidence is bound to the ephemeral key but not to the TLS channel, possession of that key is sufficient to relay or divert the attested TLS session. A client will accept the connection under false assumptions about the endpoint it is communicating with — the attestation report cannot distinguish the genuine attested service from the attack

Affected products

ultraviolet — cocos_ai

Does this affect you?

Add your gear to cvedb and we'll alert you only when ultraviolet ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.