CVE-2026-23991

Aliases:GHSA-846p-jg2w-w324GO-2026-4348
Advisory lineage Upstream: 0 Downstream: 8
Analyzed
Published: 22 Jan 2026, 02:16
Last modified:22 Jan 2026, 15:35

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.04% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

22 Jan 2026, 02:16
Published
Vulnerability first disclosed
22 Jan 2026, 15:35
Last Modified
Vulnerability information updated

Description

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

CVSS Metrics

  • v3.1MEDIUMScore: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.04% Percentile: 11%

Techniques & Countermeasures

  • CWE-617Reachable Assertion

    The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

  • CWE-754Improper Check for Unusual or Exceptional Conditions

    The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Affected Systems

  • github.com/theupdateframeworkgo-tuf

    all

  • github.com/theupdateframework/go-tufv2

    < 2.3.1

  • theupdateframeworkgo-tuf

    ≥ 2.0.0, < 2.3.1

References (5)