CVE-2026-23991
HIGH EPSS 40.8%
Published Jan 22, 20265mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
Published Jan 22, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago
Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Threat Intelligence
EPSS Exploit Probability
40.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 2
CWE-617
CWE-754
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| theupdateframework | go-tuf | * | ≥2.0.0 – <2.3.1 |
References 3
- github.com https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6
- github.com https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1
- github.com https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324
Remediation
- github.com https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6