Panic at the Distro: Crashing go-tuf with Malformed JSON
Jan 21, 2026·6 min read·4 visits
Executive Summary (TL;DR)
CVE-2026-23991 is a remote DoS in `go-tuf` caused by a classic Go mistake: unsafe type assertions on untrusted JSON. An attacker controlling a mirror or executing a MitM attack can force the update client to panic by serving a JSON payload where expected objects are replaced with primitives. This happens *before* signature checks, meaning no private keys are required to take down the update infrastructure.
A critical Denial of Service vulnerability in the Go implementation of The Update Framework (go-tuf) allows unauthenticated attackers to crash client applications by serving malformed metadata. The crash occurs due to unsafe type assertions before cryptographic verification.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
github.com/theupdateframework/go-tuf The Update Framework (TUF) | < v2.3.1 | v2.3.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-400 (Uncontrolled Resource Consumption) |
| Attack Vector | Network (Remote) |
| CVSS | 7.5 (High) |
| Impact | Denial of Service (Application Crash) |
| Vulnerability | Runtime Panic via Type Assertion |
| Exploit Status | POC Available |
MITRE ATT&CK Mapping
The software does not properly handle an unexpected data type, leading to a runtime error (panic) that causes the application to crash.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.