microsoft · LeoMar4 · Feb 10, 2026 · Jan 26, 2026
@@ -0,0 +1,45 @@
+From c00a0f0b748c1e42e9ffc4768d9c9ff90ac99d05 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 26 Jan 2026 19:57:27 +0000
+Subject: [PATCH] Perform type assertion (#710)
+
+* Perform type assertion
+
+Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
+
+* Correct error type
+
+Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
+
+---------
+
+Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6.patch
+---
+ .../theupdateframework/go-tuf/v2/metadata/metadata.go    | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go b/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
+index 3e0a9e1..6d9fbc5 100644
+--- a/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
++++ b/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
+@@ -896,7 +896,14 @@ func checkType[T Roles](data []byte) error {
+ 	if err := json.Unmarshal(data, &m); err != nil {
+ 		return err
+ 	}
+-	signedType := m["signed"].(map[string]any)["_type"].(string)
++	signed, ok := m["signed"].(map[string]any)
++	if !ok {
++		return &ErrValue{Msg: "metadata 'signed' field is missing or not an object"}
++	}
++	signedType, ok := signed["_type"].(string)
++	if !ok {
++		return &ErrValue{Msg: "no _type found in signed"}
++	}
+ 	switch i.(type) {
+ 	case *RootType:
+ 		if ROOT != signedType {
+-- 
+2.45.4
+
@@ -0,0 +1,35 @@
+From 0c7986153dbeacafdbe04e5c501c14c05a55d72b Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 26 Jan 2026 19:59:08 +0000
+Subject: [PATCH] Verify threshold is valid (#712)
+
+Verify threshold is valid by ensuring role threshold is at least 1 in VerifyDelegate.
+
+Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0.patch
+---
+ .../theupdateframework/go-tuf/v2/metadata/metadata.go      | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go b/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
+index 6d9fbc5..980c7ff 100644
+--- a/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
++++ b/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
+@@ -296,6 +296,13 @@ func (meta *Metadata[T]) VerifyDelegate(delegatedRole string, delegatedMetadata
+ 	if len(roleKeyIDs) == 0 {
+ 		return &ErrValue{Msg: fmt.Sprintf("no delegation found for %s", delegatedRole)}
+ 	}
++	// verify threshold should be at least 1
++	if roleThreshold < 1 {
++		return &ErrValue{Msg: fmt.Sprintf("insufficient threshold (%d) configured for %s",
++			roleThreshold,
++			delegatedRole)}
++	}
++
+ 	// loop through each role keyID
+ 	for _, keyID := range roleKeyIDs {
+ 		key, ok := keys[keyID]
+-- 
+2.45.4
+
@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.62.0
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -24,6 +24,8 @@ Patch8:         CVE-2025-22869.patch
 Patch9:         CVE-2025-22872.patch
 Patch10:        CVE-2025-48938.patch
 Patch11:        CVE-2025-58183.patch
+Patch12:        CVE-2026-23991.patch
+Patch13:        CVE-2026-23992.patch
 
 BuildRequires:  golang < 1.24
 BuildRequires:  git
@@ -68,6 +70,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Mon Jan 26 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.62.0-11
+- Patch for CVE-2026-23991, CVE-2026-23992
+
 * Sat Nov 15 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.62.0-10
 - Patch for CVE-2025-58183