CVE-2026-23992

EUVD-2026-3672
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
theupdateframeworkgo-tuf
2.0.0 ≤
𝑥
< 2.3.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-theupdateframework-go-tuf
forky
2.4.1+0.7.0-2
fixed
sid
2.4.1+0.7.0-2
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cosign
suse enterprise desktop 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise sap 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise server 15 SP7
3.0.5-150400.3.35.1
fixed
cosign-bash-completion
suse enterprise desktop 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise sap 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise server 15 SP7
3.0.5-150400.3.35.1
fixed
cosign-zsh-completion
suse enterprise desktop 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise sap 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise server 15 SP7
3.0.5-150400.3.35.1
fixed
Common Weakness Enumeration
References
https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525