CVE-2026-23992

Aliases:GHSA-fphv-w9fq-2525GO-2026-4349

Advisory lineage Upstream: 0 Downstream: 8

Downstream

DEBIAN-CVE-2026-23992 OPENSUSE-SU-2026:10235-1 OPENSUSE-SU-2026:20386-1 SUSE-SU-2026:0403-1 SUSE-SU-2026:0757-1 SUSE-SU-2026:0777-1

Analyzed

Published: 22 Jan 2026, 02:20

Last modified:22 Jan 2026, 15:21

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Jan 2026, 02:20

Published

Vulnerability first disclosed

22 Jan 2026, 15:21

Last Modified

Vulnerability information updated

Description

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.

CVSS Metrics

v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.01%• Percentile: 1%

Techniques & Countermeasures

CWE-347•Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Systems

github.com/theupdateframework•go-tuf
all
github.com/theupdateframework/go-tuf•v2
< 2.3.1
theupdateframework•go-tuf
≥ 2.0.0, < 2.3.1