CVE-2026-23992
Signature Verification Bypass in go-tuf via Misconfigured Thresholds
Publication date: 2026-01-22
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| theupdateframework | go-tuf | From 2.0.0 (inc) to 2.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in go-tuf (a Go implementation of The Update Framework) occurs because the software allowed the signature threshold for delegated roles to be set to 0 or a negative value. This means signature verification could be effectively disabled, allowing unauthorized modifications to TUF metadata files either at rest or during transit, since no integrity checks would be enforced. The issue was fixed by adding validation to ensure the threshold is at least 1. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow unauthorized modifications to TUF metadata files without detection, potentially leading to the acceptance of malicious or tampered updates. This compromises the integrity of the update process, which could result in the distribution of malicious software or corrupted data to users relying on go-tuf for secure updates. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the TUF metadata roles configuration to check if any signature threshold is set to 0 or less, which disables signature verification. Specifically, you should verify the threshold values in the delegation metadata. Since the vulnerability relates to the VerifyDelegate function failing to validate thresholds, you can look for errors or warnings indicating 'insufficient threshold' in logs if using a patched version. There are no specific commands provided in the resources, but a practical approach is to parse the TUF metadata JSON files and check the 'threshold' fields for each role to ensure they are at least 1. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to ensure that all TUF metadata roles are configured with a signature threshold of at least 1, never 0 or less. Additionally, upgrade the go-tuf implementation to version 2.3.1 or later, where this issue is fixed by validating threshold values in the VerifyDelegate function to prevent acceptance of invalid thresholds. [2, 1]