CVE-2026-23991 - GitHub Advisory Database (original) (raw)

Skip to content

Navigation Menu

• Pricing

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign up

Appearance settings

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2026-23991

go-tuf affected by client DoS via malformed server response

Moderate severity GitHub Reviewed PublishedJan 20, 2026 in theupdateframework/go-tuf • Updated Jan 22, 2026

Package

gomod github.com/theupdateframework/go-tuf/v2 (Go)

Affected versions

< 2.3.1

Description

Security Disclosure: Client DoS via malformed server response

Summary

If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.

Impact

Client crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop.

Workarounds

None currently.

Affected code

The metadata.checkType function did not properly type assert the (untrusted) input causing it to panic on malformed data.

References

• GHSA-846p-jg2w-w324
• https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1
• theupdateframework/go-tuf@73345ab
• https://nvd.nist.gov/vuln/detail/CVE-2026-23991

Published to the GitHub Advisory Database

Jan 21, 2026

Last updated

Jan 22, 2026