DEBIAN-CVE-2026-23991

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-23991

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23991.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-23991

Upstream

CVE-2026-23991

Published

2026-01-22T03:15:47.317Z

Modified

2026-02-18T10:23:52.259127Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

References

https://security-tracker.debian.org/tracker/CVE-2026-23991

Affected packages

Debian:13 / golang-github-theupdateframework-go-tuf

Package

Name: golang-github-theupdateframework-go-tuf
Purl: pkg:deb/debian/golang-github-theupdateframework-go-tuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.2+0.7.0-1

2.3.0+0.7.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23991.json"

Debian:14 / golang-github-theupdateframework-go-tuf