AZL-75186

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-75186.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-75186

Upstream

CVE-2026-23991

Published

2026-01-22T03:15:47Z

Modified

2026-04-01T05:22:49.363721Z

Summary

CVE-2026-23991 affecting package gh 2.62.0-10

Details

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-23991

Affected packages

Azure Linux:3 / gh

Package

Name: gh
Purl: pkg:rpm/azure-linux/gh

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.62.0-10

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-75186.json"