Cyber Resilience

CVE-2026-23992

Medium

Published: 22 January 2026

Published
22 January 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0001 1.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23992 is a medium-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Theupdateframework Go-Tuf. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-23992 affects go-tuf, a Go implementation of The Update Framework (TUF), specifically versions starting from 2.0.0 up to but not including 2.3.1. The vulnerability arises when a compromised or misconfigured TUF repository sets signature thresholds to 0, effectively disabling signature verification. This flaw, classified under CWE-347 (Improper Verification of Cryptographic Signature), allows unauthorized modifications to TUF metadata files either at rest or during transit, as no integrity checks are performed. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating medium severity with high integrity impact.

Attackers can exploit this vulnerability if they gain the ability to compromise or misconfigure a TUF repository, enabling them to set thresholds to 0 without requiring privileges, user interaction, or scope changes. Exploitation is network-accessible but requires high attack complexity. Successful attacks allow adversaries to arbitrarily modify TUF metadata, undermining the integrity of the update framework and potentially enabling further supply chain compromises through tampered metadata.

The go-tuf security advisory (GHSA-fphv-w9fq-2525) and fixing commit (b38d91fdbc69dfe31fe9230d97dafe527ea854a0) confirm that version 2.3.1 resolves the issue. As a workaround, administrators should ensure all TUF metadata roles are configured with a signature threshold of at least 1 to prevent disabling verification.

EU & UK References

Vulnerability details

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature…

more

verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vulnerability disables TUF metadata signature verification (threshold=0), directly enabling attackers to tamper with update metadata and compromise the software supply chain.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23991Same product: Theupdateframework Go-Tuf
CVE-2026-41431Shared CWE-347
CVE-2025-52648Shared CWE-347
CVE-2026-34240Shared CWE-347
CVE-2024-56161Shared CWE-347
CVE-2025-24043Shared CWE-347
CVE-2026-23687Shared CWE-347
CVE-2024-13172Shared CWE-347
CVE-2026-41669Shared CWE-347
CVE-2026-27962Shared CWE-347

Affected Assets

theupdateframework
go-tuf
2.0.0 — 2.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic integrity verification of information (TUF metadata) to detect unauthorized modification, blocking the exact failure mode when thresholds are set to 0.

prevent

Mandates that system components and metadata be signed and verified before use, preventing acceptance of TUF files whose signature thresholds have been disabled.

prevent

Requires integrity protection for information in transit, mitigating the transit-tampering path that becomes possible once TUF signature verification is bypassed.

References