PT-2026-3903 · Go-Tuf · Go-Tuf

1Seal

Published

2026-01-19

Updated

2026-05-18

CVE-2026-23991

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions go-tuf versions 2.0.0 through 2.3.0

Description go-tuf, a Go implementation of The Update Framework (TUF), is susceptible to a denial of service. When processing TUF metadata, versions prior to 2.3.1 may panic if invalid JSON is received from the repository or its mirrors. This occurs before signature validation, allowing a compromised repository or mirror to disrupt client operations without requiring signing key access.

Recommendations Update to version 2.3.1 or later.

Exploit

Fix

DoS

Assertion Failure

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-617CWE-754

Related Identifiers

AZL-75186

BDU:2026-01060

CLEANSTART-2026-BD19566

CLEANSTART-2026-EZ47382

CLEANSTART-2026-NS33477

CLEANSTART-2026-SH14815

CLEANSTART-2026-WN01990

CVE-2026-23991

GHSA-846P-JG2W-W324

GO-2026-4348

OPENSUSE-SU-2026:10235-1

OPENSUSE-SU-2026:20386-1

SUSE-SU-2026:0403-1

SUSE-SU-2026:0757-1

SUSE-SU-2026:0777-1

SUSE-SU-2026:20904-1

Affected Products

Go-Tuf

PT-2026-3903 · Go-Tuf · Go-Tuf

CVE-2026-23991

Weakness Enumeration

Related Identifiers

Affected Products

References · 351