CVE-2026-23991
Published: 22 January 2026
Summary
CVE-2026-23991 is a medium-severity Reachable Assertion (CWE-617) vulnerability in Theupdateframework Go-Tuf. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires detection and response to audit logging failures as an unusual or exceptional condition.
Implements detection of unusual or exceptional conditions followed by safe mode entry, reducing the window for exploitation of unchecked conditions.
Training ensures users perform required checks for unusual or exceptional conditions as part of contingency roles, limiting attacker leverage from skipped validations.
IR testing directly validates checks for unusual or exceptional conditions that could indicate security incidents.
Requires ongoing monitoring of organization-defined metrics and analysis, enabling checks for unusual or exceptional conditions.
Security testing routinely checks for unusual or exceptional inputs/conditions, identifying missing validation steps that flaw remediation then resolves.
Requires detection of unusual conditions followed by a controlled transition to the defined failure state.
MTTF determination forces explicit checks for conditions that precede predictable component failure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables remote application-layer DoS via malformed update metadata before any validation, matching T1499.004 (Application or System Exploitation).
NVD Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF…
more
metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
Deeper analysisAI
CVE-2026-23991 affects go-tuf, a Go implementation of The Update Framework (TUF), in versions starting from 2.0.0 and prior to 2.3.1. The vulnerability arises when a TUF repository, its mirrors, or caches return invalid TUF metadata JSON—specifically, JSON that is syntactically valid but not well-formed according to TUF specifications. During parsing, the client panics before any signature validation occurs, resulting in a denial-of-service condition. The issue is rated with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-617 (Reachable Assertion) and CWE-754 (Improper Check for Unusual or Exceptional Conditions).
An attacker who compromises a TUF repository, mirror, or cache can exploit this vulnerability by serving malformed TUF metadata JSON. No signing keys are required, as the panic triggers during initial parsing prior to signature checks. This enables remote denial-of-service against clients over the network, with no privileges, user interaction, or scope changes needed, though exploitation requires high attack complexity. Affected clients crash, disrupting software update processes that rely on go-tuf for secure metadata handling.
The go-tuf project addresses the issue in version 2.3.1, which includes a fix via commit 73345ab6b0eb7e59d525dac17a428f043074cef6. The security advisory (GHSA-846p-jg2w-w324) and release notes for v2.3.1 detail the patch and affected versions. No workarounds are available.
Details
- CWE(s)