2431929 – (CVE-2026-23992) CVE-2026-23992 github.com/theupdateframework/go-tuf/v2: go-tuf improperly validates the configured threshold for delegations

Bug 2431929 (CVE-2026-23992) - CVE-2026-23992 github.com/theupdateframework/go-tuf/v2: go-tuf improperly validates the configured threshold for delegations

Summary: CVE-2026-23992 github.com/theupdateframework/go-tuf/v2: go-tuf improperly val...

Keywords:
Status:	NEW
Alias:	CVE-2026-23992
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2433104 2433100 2433102 2433106 2433107
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-22 03:01 UTC by OSIDB Bzimport
Modified:	2026-04-16 20:17 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-22 03:01:41 UTC

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.

Note You need to log in before you can comment on or make changes to this bug.