7.5

CVE-2026-23992

EPSS 0.01%
Veröffentlicht 22.01.2026 02:20:06
Zuletzt bearbeitet 17.02.2026 16:02:19
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Theupdateframework ≫ Go-tuf Version >= 2.0.0 < 2.3.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.008

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525

Patch

Vendor Advisory

https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-23992

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23992

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23992

EUVD