CVE-2026-23991: go-tuf affected by client DoS via malformed server response
(updated )
If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.
References
- github.com/advisories/GHSA-846p-jg2w-w324
- github.com/theupdateframework/go-tuf
- github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6
- github.com/theupdateframework/go-tuf/releases/tag/v2.3.1
- github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324
- nvd.nist.gov/vuln/detail/CVE-2026-23991
Code Behaviors & Features
Detect and mitigate CVE-2026-23991 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →