← Back to CVEs
CVE-2026-23991
MEDIUM5.9
Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
CVE Details
CVSS v3.1 Score5.9
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionNONE
Published1/22/2026
Last Modified2/17/2026
Sourcenvd
Honeypot Sightings0
Affected Products
theupdateframework:go-tuf
Weaknesses (CWE)
CWE-617CWE-754
References
https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6(security-advisories@github.com)
https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1(security-advisories@github.com)
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.