UBUNTU-CVE-2026-23991

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-23991

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23991.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-23991

Upstream

CVE-2026-23991

Published

2026-01-22T03:15:00Z

Modified

2026-02-19T20:53:45.846531Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

References

Affected packages

Ubuntu:24.04:LTS / golang-github-theupdateframework-go-tuf

Package

Name: golang-github-theupdateframework-go-tuf
Purl: pkg:deb/ubuntu/golang-github-theupdateframework-go-tuf@0.6.1-1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.5.2-5

0.6.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-theupdateframework-go-tuf-dev",
            "binary_version": "0.6.1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23991.json"

Ubuntu:25.10 / golang-github-theupdateframework-go-tuf