CVE-2026-23991

5.9 MEDIUM
Published: January 22, 2026 Modified: February 17, 2026
View on NVD

Description

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6
Source: security-advisories@github.com
Patch
https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1
Source: security-advisories@github.com
Release Notes
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324
Source: security-advisories@github.com
Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.9 / 10.0
EPSS (Exploit Probability)
0.0%
6th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-617 CWE-754

Affected Vendors

theupdateframework

Related CVEs

CVE-2026-4633 3.7
CVE-2026-4583 5.0
CVE-2026-28809 N/A
CVE-2026-4582 5.0
CVE-2026-4581 7.3