CVE-2026-23991

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions go-tuf versions 2.0.0 through 2.3.0

Description go-tuf, a Go implementation of The Update Framework (TUF), is susceptible to a denial of service. When processing TUF metadata, versions prior to 2.3.1 may panic if invalid JSON is received from the repository or its mirrors. This occurs before signature validation, allowing a compromised repository or mirror to disrupt client operations without requiring signing key access.

Recommendations Update to version 2.3.1 or later.

Exploit

Fix

DoS

Improper Check for Exceptional Conditions

Assertion Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754CWE-617

Related Identifiers

BDU:2026-01060

CVE-2026-23991

GHSA-846P-JG2W-W324

GO-2026-4348

SUSE-SU-2026:0757-1

SUSE-SU-2026:0777-1

Affected Products

Go-Tuf

CVE-2026-23991

Weakness Enumeration

Related Identifiers

Affected Products

References · 140