CVE-2026-23991
ADVISORY - githubSummary
Security Disclosure: Client DoS via malformed server response
Summary
If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.
Impact
Client crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop.
Workarounds
None currently.
Affected code
The metadata.checkType function did not properly type assert the (untrusted) input causing it to panic on malformed data.
NIST
CVSS SCORE
5.9mediumGitHub
CVSS SCORE
5.9mediumDebian
-
Ubuntu
-
CVSS SCORE
N/AmediumGoLang
-
Chainguard
CGA-59j7-6p4f-jqgq
-
Chainguard
CGA-q2cx-3rhg-vp74
-
minimos
MINI-26wr-jqrq-5hh3
-
minimos
MINI-274m-48g4-j6v6
-
minimos
MINI-2p8q-r2xv-9hx2
-
minimos
MINI-4v3q-phqf-gr2w
-
minimos
MINI-4wj8-f3q4-94x3
-
minimos
MINI-5wj6-p26m-h8c5
-
minimos
MINI-7q6q-fpxh-3f7h
-
minimos
MINI-85q8-8m34-hv3c
-
minimos
MINI-8h92-gpcg-8j4j
-
minimos
MINI-8m9f-rq4f-cpgc
-
minimos
MINI-c69f-6rc6-6599
-
minimos
MINI-f676-96g2-rxq9
-
minimos
MINI-hjrp-ww3c-cqwj
-
minimos
MINI-q8ff-7xj4-xmvf
-
minimos
MINI-rgwh-px29-7mfj
-
minimos
MINI-v3pq-h3c7-jx7x
-
minimos
MINI-wr7v-hh2x-m556
-
minimos
MINI-x5jp-64jq-r5x5
-