Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
Published: 2026-01-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

go‑tuf allows a client to crash when it receives TUF metadata that is syntactically valid JSON but does not conform to the TUF metadata schema. The panic occurs during parsing before any signature validation, so an attacker who can control a repository, mirror, or cache can cause any downstream client to terminate, interrupting service availability. The weakness is a control flow bypass (CWE‑617) combined with a safety constraint violation (CWE‑754).

Affected Systems

The vulnerability affects the Go implementation of The Update Framework shipped from version 2.0.0 through 2.3.0. Version 2.3.1 includes the fix. All installations in this range that rely on the vulnerable versions are impacted; the product is maintained by the Update Framework project under the name go‑tuf.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate impact, and the EPSS value of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply malformed metadata to a client that retrieves data from a repository or mirror controlled by the attacker. The attack vector is network‑based, but the effect is a local DoS against the client process. Because no signature validation occurs before the panic, the attacker does not need any signing keys to succeed.

Generated by OpenCVE AI on April 18, 2026 at 03:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade go‑tuf to version 2.3.1 or later.
  • Restrict the set of mirrors or repositories to those that are trusted and verified, and configure the client to ignore or reject malformed metadata before processing.
  • Wrap metadata parsing calls in a recoverable context or implement additional validation to catch malformed input and prevent the client from panicking.

Generated by OpenCVE AI on April 18, 2026 at 03:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-846p-jg2w-w324 go-tuf affected by client DoS via malformed server response
History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Theupdateframework
Theupdateframework go-tuf
Vendors & Products Theupdateframework
Theupdateframework go-tuf

Thu, 22 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
Title go-tuf affected by client DoS via malformed server response
Weaknesses CWE-617
CWE-754
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Theupdateframework Go-tuf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T15:35:31.770Z

Reserved: 2026-01-19T18:49:20.657Z

Link: CVE-2026-23991

cve-icon Vulnrichment

Updated: 2026-01-22T15:35:25.431Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T03:15:47.317

Modified: 2026-02-17T16:10:55.810

Link: CVE-2026-23991

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-22T02:16:37Z

Links: CVE-2026-23991 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses