CVE-2026-23992
Published: 22 January 2026
Summary
CVE-2026-23992 is a medium-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Theupdateframework Go-Tuf. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.
PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.
Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.
Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.
Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.
Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability disables TUF metadata signature verification (threshold=0), directly enabling attackers to tamper with update metadata and compromise the software supply chain.
NVD Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature…
more
verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Deeper analysisAI
CVE-2026-23992 affects go-tuf, a Go implementation of The Update Framework (TUF), specifically versions starting from 2.0.0 up to but not including 2.3.1. The vulnerability arises when a compromised or misconfigured TUF repository sets signature thresholds to 0, effectively disabling signature verification. This flaw, classified under CWE-347 (Improper Verification of Cryptographic Signature), allows unauthorized modifications to TUF metadata files either at rest or during transit, as no integrity checks are performed. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating medium severity with high integrity impact.
Attackers can exploit this vulnerability if they gain the ability to compromise or misconfigure a TUF repository, enabling them to set thresholds to 0 without requiring privileges, user interaction, or scope changes. Exploitation is network-accessible but requires high attack complexity. Successful attacks allow adversaries to arbitrarily modify TUF metadata, undermining the integrity of the update framework and potentially enabling further supply chain compromises through tampered metadata.
The go-tuf security advisory (GHSA-fphv-w9fq-2525) and fixing commit (b38d91fdbc69dfe31fe9230d97dafe527ea854a0) confirm that version 2.3.1 resolves the issue. As a workaround, administrators should ensure all TUF metadata roles are configured with a signature threshold of at least 1 to prevent disabling verification.
Details
- CWE(s)