2431928 – (CVE-2026-23991) CVE-2026-23991 github.com/theupdateframework/go-tuf/v2: go-tuf client DoS via malformed server response

Bug 2431928 (CVE-2026-23991) - CVE-2026-23991 github.com/theupdateframework/go-tuf/v2: go-tuf client DoS via malformed server response

Summary: CVE-2026-23991 github.com/theupdateframework/go-tuf/v2: go-tuf client DoS via...

Keywords:
Status:	NEW
Alias:	CVE-2026-23991
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2433101 2433098 2433099 2433103 2433105 2433108
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-22 03:01 UTC by OSIDB Bzimport
Modified:	2026-01-26 22:34 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-22 03:01:35 UTC

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

Note You need to log in before you can comment on or make changes to this bug.