CVE-2026-23991
Denial of Service via Panic on Invalid Metadata in go-tuf
Publication date: 2026-01-22
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| theupdateframework | go-tuf | From 2.0.0 (inc) to 2.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23991 is a denial-of-service vulnerability in the Go implementation of The Update Framework (go-tuf) versions 2.0.0 up to 2.3.0. If a TUF repository or its mirrors return metadata JSON that is valid JSON but not well-formed according to TUF standards, the client improperly performs type assertions during parsing, causing a panic and crashing the client before any signature validation occurs. This allows an attacker controlling a repository, mirror, or cache to cause a denial of service without needing access to signing keys. [1, 3]
How can this vulnerability impact me? :
This vulnerability can cause your client applications using go-tuf to crash or enter a restart loop when they receive malformed but syntactically valid TUF metadata. This results in a denial of service, potentially disrupting availability of your update mechanisms or services relying on go-tuf for secure updates. Since the panic occurs before signature verification, an attacker controlling a repository or mirror can exploit this to cause service outages without needing signing keys. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a panic (crash) in the go-tuf client when it parses malformed but syntactically valid TUF metadata JSON. Detection can be done by monitoring the go-tuf client logs or system logs for panic or crash messages related to metadata parsing failures. Since the panic occurs before signature validation, look for error messages or stack traces indicating type assertion failures in the metadata parsing functions. There are no specific commands provided in the resources, but general approaches include checking logs for panic events or running the go-tuf client with debug logging enabled to capture parsing errors. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the go-tuf client to version 2.3.1 or later, where the issue has been fixed by improving type assertion and error handling during metadata parsing. No known workarounds are available. Updating to the fixed version ensures that malformed metadata no longer causes client panics and denial of service. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service by crashing clients when parsing malformed metadata, but it does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards like GDPR or HIPAA, which focus on data protection and privacy. However, the availability impact could indirectly affect compliance if critical systems relying on go-tuf are disrupted, but no explicit compliance impact is described. [3]