CVE-2026-23991: go-tuf affected by client DoS via malformed server response

January 21, 2026

If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.

References

github.com/advisories/GHSA-846p-jg2w-w324
github.com/theupdateframework/go-tuf
github.com/theupdateframework/go-tuf/releases/tag/v2.3.1
github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324
nvd.nist.gov/vuln/detail/CVE-2026-23991

Code Behaviors & Features

Detect and mitigate CVE-2026-23991 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →