Sign In

CVE-2026-23991

ADVISORY - github

Summary

Security Disclosure: Client DoS via malformed server response

Summary

If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.

Impact

Client crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop.

Workarounds

None currently.

Affected code

The metadata.checkType function did not properly type assert the (untrusted) input causing it to panic on malformed data.

EPSS Score: 0.00015 (0.023)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-617

Reachable Assertion

CWE-754

Improper Check for Unusual or Exceptional Conditions

ADVISORY - github

CWE-617

Reachable Assertion

CWE-754

Improper Check for Unusual or Exceptional Conditions

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in