CVE-2026-23991
Published: 22 January 2026
Summary
CVE-2026-23991 is a medium-severity Reachable Assertion (CWE-617) vulnerability in Theupdateframework Go-Tuf. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-23991 affects go-tuf, a Go implementation of The Update Framework (TUF), in versions starting from 2.0.0 and prior to 2.3.1. The vulnerability arises when a TUF repository, its mirrors, or caches return invalid TUF metadata JSON—specifically, JSON that is syntactically valid but not well-formed according to TUF specifications. During parsing, the client panics before any signature validation occurs, resulting in a denial-of-service condition. The issue is rated with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-617 (Reachable Assertion) and CWE-754 (Improper Check for Unusual or Exceptional Conditions).
An attacker who compromises a TUF repository, mirror, or cache can exploit this vulnerability by serving malformed TUF metadata JSON. No signing keys are required, as the panic triggers during initial parsing prior to signature checks. This enables remote denial-of-service against clients over the network, with no privileges, user interaction, or scope changes needed, though exploitation requires high attack complexity. Affected clients crash, disrupting software update processes that rely on go-tuf for secure metadata handling.
The go-tuf project addresses the issue in version 2.3.1, which includes a fix via commit 73345ab6b0eb7e59d525dac17a428f043074cef6. The security advisory (GHSA-846p-jg2w-w324) and release notes for v2.3.1 detail the patch and affected versions. No workarounds are available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3673
Vulnerability details
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF…
more
metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables remote application-layer DoS via malformed update metadata before any validation, matching T1499.004 (Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of TUF metadata JSON before parsing, directly blocking the malformed input that triggers the pre-signature panic.
Mandates graceful error handling for exceptional conditions instead of an unhandled panic on invalid TUF metadata.
Limits denial-of-service effects from a compromised repository by protecting availability of the update client.