CVE-2026-23992
Unknown Unknown - Not Provided
Signature Verification Bypass in go-tuf via Misconfigured Thresholds

Publication date: 2026-01-22

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23992
EUVD
EUVD-2026-3672
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
theupdateframework go-tuf From 2.0.0 (inc) to 2.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in go-tuf (a Go implementation of The Update Framework) occurs because the software allowed the signature threshold for delegated roles to be set to 0 or a negative value. This means signature verification could be effectively disabled, allowing unauthorized modifications to TUF metadata files either at rest or during transit, since no integrity checks would be enforced. The issue was fixed by adding validation to ensure the threshold is at least 1. [1, 2]

Impact Analysis

If exploited, this vulnerability can allow unauthorized modifications to TUF metadata files without detection, potentially leading to the acceptance of malicious or tampered updates. This compromises the integrity of the update process, which could result in the distribution of malicious software or corrupted data to users relying on go-tuf for secure updates. [2]

Detection Guidance

This vulnerability can be detected by inspecting the TUF metadata roles configuration to check if any signature threshold is set to 0 or less, which disables signature verification. Specifically, you should verify the threshold values in the delegation metadata. Since the vulnerability relates to the VerifyDelegate function failing to validate thresholds, you can look for errors or warnings indicating 'insufficient threshold' in logs if using a patched version. There are no specific commands provided in the resources, but a practical approach is to parse the TUF metadata JSON files and check the 'threshold' fields for each role to ensure they are at least 1. [1, 2]

Mitigation Strategies

The immediate mitigation step is to ensure that all TUF metadata roles are configured with a signature threshold of at least 1, never 0 or less. Additionally, upgrade the go-tuf implementation to version 2.3.1 or later, where this issue is fixed by validating threshold values in the VerifyDelegate function to prevent acceptance of invalid thresholds. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart