DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23991: Panic at the Distro: Crashing go-tuf with Malformed JSON

#security #cve #cybersecurity

Panic at the Distro: Crashing go-tuf with Malformed JSON

Vulnerability ID: CVE-2026-23991
CVSS Score: 7.5
Published: 2026-01-21

A critical Denial of Service vulnerability in the Go implementation of The Update Framework (go-tuf) allows unauthenticated attackers to crash client applications by serving malformed metadata. The crash occurs due to unsafe type assertions before cryptographic verification.

TL;DR

CVE-2026-23991 is a remote DoS in go-tuf caused by a classic Go mistake: unsafe type assertions on untrusted JSON. An attacker controlling a mirror or executing a MitM attack can force the update client to panic by serving a JSON payload where expected objects are replaced with primitives. This happens before signature checks, meaning no private keys are required to take down the update infrastructure.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400 (Uncontrolled Resource Consumption)
  • Attack Vector: Network (Remote)
  • CVSS: 7.5 (High)
  • Impact: Denial of Service (Application Crash)
  • Vulnerability: Runtime Panic via Type Assertion
  • Exploit Status: POC Available

Affected Systems

  • Go applications using github.com/theupdateframework/go-tuf
  • TUF Client Implementations in Go
  • Container image updaters relying on go-tuf
  • IoT firmware updaters relying on go-tuf
  • github.com/theupdateframework/go-tuf: < v2.3.1 (Fixed in: v2.3.1)

Code Analysis

Commit: 73345ab

Fix: perform safer type assertions in metadata checkType

- signedType := m["signed"].(map[string]any)["_type"].(string)
+ signed, ok := m["signed"].(map[string]any)
+ if !ok { return error }
+ signedType, ok := signed["_type"].(string)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Simulated PoC: Send JSON {"signed": 1} to trigger interface conversion panic.

Mitigation Strategies

  • Input Validation: Ensure strict schema validation before processing JSON data.
  • Safe Type Assertions: Always use the comma-ok idiom in Go when asserting interfaces from untrusted sources.
  • Panic Recovery: Implement panic recovery middleware in critical services to prevent full process termination.

Remediation Steps:

  1. Upgrade the go-tuf dependency to version v2.3.1 or later.
  2. Run go mod tidy to clean up dependencies.
  3. Rebuild and redeploy the client application.

References

Read the full report for CVE-2026-23991 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)