CVE-2026-23991
Unknown Unknown - Not Provided
Denial of Service via Panic on Invalid Metadata in go-tuf

Publication date: 2026-01-22

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23991
EUVD
EUVD-2026-3673
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
theupdateframework go-tuf From 2.0.0 (inc) to 2.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23991 is a denial-of-service vulnerability in the Go implementation of The Update Framework (go-tuf) versions 2.0.0 up to 2.3.0. If a TUF repository or its mirrors return metadata JSON that is valid JSON but not well-formed according to TUF standards, the client improperly performs type assertions during parsing, causing a panic and crashing the client before any signature validation occurs. This allows an attacker controlling a repository, mirror, or cache to cause a denial of service without needing access to signing keys. [1, 3]

Impact Analysis

This vulnerability can cause your client applications using go-tuf to crash or enter a restart loop when they receive malformed but syntactically valid TUF metadata. This results in a denial of service, potentially disrupting availability of your update mechanisms or services relying on go-tuf for secure updates. Since the panic occurs before signature verification, an attacker controlling a repository or mirror can exploit this to cause service outages without needing signing keys. [3]

Detection Guidance

This vulnerability manifests as a panic (crash) in the go-tuf client when it parses malformed but syntactically valid TUF metadata JSON. Detection can be done by monitoring the go-tuf client logs or system logs for panic or crash messages related to metadata parsing failures. Since the panic occurs before signature validation, look for error messages or stack traces indicating type assertion failures in the metadata parsing functions. There are no specific commands provided in the resources, but general approaches include checking logs for panic events or running the go-tuf client with debug logging enabled to capture parsing errors. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the go-tuf client to version 2.3.1 or later, where the issue has been fixed by improving type assertion and error handling during metadata parsing. No known workarounds are available. Updating to the fixed version ensures that malformed metadata no longer causes client panics and denial of service. [2, 3]

Compliance Impact

The vulnerability causes a denial of service by crashing clients when parsing malformed metadata, but it does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards like GDPR or HIPAA, which focus on data protection and privacy. However, the availability impact could indirectly affect compliance if critical systems relying on go-tuf are disrupted, but no explicit compliance impact is described. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart