DEBIAN-CVE-2026-23992
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 22 Jan 2026, 03:15
Last modified:28 Apr 2026, 20:31
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
22 Jan 2026, 03:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:31
Last Modified
Vulnerability information updated
Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Systems
- debian•golang-github-theupdateframework-go-tuf
all | all | < 2.4.1+0.7.0-1