go-tuf affected by client DoS via malformed server response

5.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

Basic Information

ID CVE-2026-23991

Source GitHub_M

Published Jan 22, 2026 at 02:16

Modified Jan 22, 2026 at 15:35

Affected Product

Vendor theupdateframework

Product go-tuf

Version >= 2.0.0, < 2.3.1

Affected Versions theupdateframework go-tuf >= 2.0.0, < 2.3.1

CWE Classification

CWE-617 CWE-754

References

{
    "lastseen": "",
    "description": "go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.",
    "published": "2026-01-22T02:16:37.294Z",
    "modified": "2026-01-22T15:35:31.770Z",
    "type": "cve",
    "title": "go-tuf affected by client DoS via malformed server response",
    "source": "GitHub_M",
    "references": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324\nhttps://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6\nhttps://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1",
    "id": "CVE-2026-23991",
    "bulletinFamily": "",
    "cwe": [
        "CWE-617",
        "CWE-754"
    ],
    "cvelist": null,
    "sourceData": "theupdateframework go-tuf >= 2.0.0, < 2.3.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "go-tuf",
    "version": ">= 2.0.0, < 2.3.1",
    "vendor": "theupdateframework",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

go-tuf affected by client DoS via malformed server response_CVE-2026-23991