Cyber Resilience

CVE-2026-23991

Medium

Published: 22 January 2026

Published
22 January 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 11.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23991 is a medium-severity Reachable Assertion (CWE-617) vulnerability in Theupdateframework Go-Tuf. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-23991 affects go-tuf, a Go implementation of The Update Framework (TUF), in versions starting from 2.0.0 and prior to 2.3.1. The vulnerability arises when a TUF repository, its mirrors, or caches return invalid TUF metadata JSON—specifically, JSON that is syntactically valid but not well-formed according to TUF specifications. During parsing, the client panics before any signature validation occurs, resulting in a denial-of-service condition. The issue is rated with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-617 (Reachable Assertion) and CWE-754 (Improper Check for Unusual or Exceptional Conditions).

An attacker who compromises a TUF repository, mirror, or cache can exploit this vulnerability by serving malformed TUF metadata JSON. No signing keys are required, as the panic triggers during initial parsing prior to signature checks. This enables remote denial-of-service against clients over the network, with no privileges, user interaction, or scope changes needed, though exploitation requires high attack complexity. Affected clients crash, disrupting software update processes that rely on go-tuf for secure metadata handling.

The go-tuf project addresses the issue in version 2.3.1, which includes a fix via commit 73345ab6b0eb7e59d525dac17a428f043074cef6. The security advisory (GHSA-846p-jg2w-w324) and release notes for v2.3.1 detail the patch and affected versions. No workarounds are available.

EU & UK References

Vulnerability details

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF…

more

metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability directly enables remote application-layer DoS via malformed update metadata before any validation, matching T1499.004 (Application or System Exploitation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23992Same product: Theupdateframework Go-Tuf
CVE-2026-20401Shared CWE-617, CWE-754
CVE-2026-2523Shared CWE-617
CVE-2026-4693Shared CWE-754
CVE-2026-41485Shared CWE-617
CVE-2026-37225Shared CWE-617
CVE-2026-33790Shared CWE-754
CVE-2026-33939Shared CWE-754
CVE-2025-13878Shared CWE-617
CVE-2026-37224Shared CWE-617

Affected Assets

theupdateframework
go-tuf
2.0.0 — 2.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of TUF metadata JSON before parsing, directly blocking the malformed input that triggers the pre-signature panic.

prevent

Mandates graceful error handling for exceptional conditions instead of an unhandled panic on invalid TUF metadata.

prevent

Limits denial-of-service effects from a compromised repository by protecting availability of the update client.

References