CVE-2026-23992

Trust Fall: Bypassing Go-TUF Signature Verification with a Single Zero

Alon Barad
Alon Barad
Software Engineer

Jan 21, 2026·5 min read·4 visits

Executive Summary (TL;DR)

The `go-tuf` library, a Go implementation of The Update Framework (TUF), failed to validate that signature thresholds were positive integers. By providing metadata with a threshold of `0` (or omitting the field to rely on Go's zero-value), an attacker can force the verifier to accept unsigned content. This allows for total supply chain compromise of systems relying on affected versions.

A critical logic flaw in `go-tuf` allows attackers to bypass signature verification by setting the delegation threshold to zero. This effectively turns off the security mechanism, allowing arbitrary updates to be trusted.

Official Patches

The Update FrameworkCommit fixing the threshold verification logic

Fix Analysis (2)

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
12.00%
Top 15% most exploited

Affected Systems

go-tuf < v2.3.1Systems relying on go-tuf for OTA updatesCustom TUF implementations copying the go-tuf logic

Affected Versions Detail

Product
Affected Versions
Fixed Version
go-tuf
The Update Framework
< 2.3.12.3.1
AttributeDetail
CWE IDCWE-697
Attack VectorNetwork (Man-in-the-Middle)
ImpactIntegrity Bypass / RCE
CVSS Score9.8 (Critical)
Exploit StatusPoC Available
Fix ComplexityLow (Input Validation)

MITRE ATT&CK Mapping

T1195.002Supply Chain Compromise: Compromise Software Supply Chain
Initial Access
T1553.002Subvert Trust Controls: Code Signing
Defense Evasion
CWE-697
Incorrect Comparison

Incorrect Comparison

Known Exploits & Detection

Manual AnalysisPoC involves crafting a targets.json with "threshold": 0 for a delegated role.

Vulnerability Timeline

Initial Discovery
2025-12-15
Patch Committed (b38d91f)
2026-01-19
Public Disclosure & CVE Assigned
2026-01-20