CVE-2026-23991 is a medium severity vulnerability with a CVSS score of 5.9. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.
Client crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop.
None currently.
The metadata.checkType function did not properly type assert the (untrusted) input causing it to panic on malformed data.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.