CNNVD-202601-3902 Information

CNNVD ID

CNNVD-202601-3902

Related CVE

CVE-2026-23992

• CNNVD Published: 2026-01-22

Description (Chinese)

go-tuf是The Update Framework开源的一个用于保护软件更新系统的框架。 go-tuf 2.0.0版本至2.3.1之前版本存在数据伪造问题漏洞，该漏洞源于签名阈值配置不当，可能导致对TUF元数据文件的未授权修改。

Description (English)

Go-tuf is a framework for the Open Source of The Update Framework to protect the software update system. There is a gap in data forgery prior to versions go-tuf 2.0 to 2.3.1, which stems from inappropriately configured signature thresholds, which may lead to unauthorized changes to TUF metadata files.

Hazard Level

High

Vulnerability Type

数据伪造问题

Affected Vendor

The Update Framework

Published

2026-01-22

Last Modified

2026-02-24

References

https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0 https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525

Patch

https://github.com/theupdateframework/go-tuf/releases