Home > Vulnerability Database > CVE-2026-23991

Mend.io Vulnerability Database

CVE-2026-23991

Good to know:

Date: January 21, 2026

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

Severity Score

5.9

Related Resources (6)

Url: https://github.com/theupdateframework/go-tuf

Url: https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324

Url: https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1

Url: https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23991

Url: https://www.mend.io/vulnerability-database/CVE-2026-23991

Severity Score

5.9

Weakness Type (CWE)

Improper Check for Unusual or Exceptional Conditions

CWE-754

Reachable Assertion

CWE-617

Top Fix

Upgrade Version

Upgrade to version github.com/theupdateframework/go-tuf/v2 - v2.3.1;https://github.com/theupdateframework/go-tuf.git - v2.3.1;https://github.com/theupdateframework/go-tuf.git - v2.3.1

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23991

Good to know:

Date: January 21, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?