CVE-2026-32280 - Vulnerability Details - OpenCVE

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Key SSVC decision points have not yet been added.

Vendors	Products
Go Standard Library	Crypto/x509

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Go Standard Library	Crypto/x509

References

Link	Providers
https://go.dev/cl/758320
https://go.dev/issue/78282
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4947

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Go Standard Library Go Standard Library crypto/x509
Vendors & Products		Go Standard Library Go Standard Library crypto/x509

Wed, 08 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 08 Apr 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Title		Unexpected work during chain building in crypto/x509
References		https://go.dev/cl/758320 https://go.dev/issue/78282 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4947

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-04-08T01:06:58.595Z

Updated: 2026-04-08T17:46:47.347Z

Reserved: 2026-03-11T16:38:46.555Z

Link: CVE-2026-32280

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-08T02:16:03.247

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-32280

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:28:12Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32280", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.555Z", "datePublished": "2026-04-08T01:06:58.595Z", "dateUpdated": "2026-04-08T17:46:47.347Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:58.595Z"}, "title": "Unexpected work during chain building in crypto/x509", "descriptions": [{"lang": "en", "value": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls."}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/x509", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Certificate.buildChains"}, {"name": "Certificate.Verify"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "references": [{"url": "https://go.dev/cl/758320"}, {"url": "https://go.dev/issue/78282"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4947"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T17:46:14.569488Z", "id": "CVE-2026-32280", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T17:46:47.347Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "crypto/x509", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-08T21:36:29.656801+00:00", "value": {"mitigation_remediation": ["Upgrade your Go installation to the latest release that includes the fix for this vulnerability", "Verify that any TLS or X509 operations in your application use the updated library", "Test your application with a large number of intermediate certificates to confirm the issue is resolved"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Go programs that use the standard library\u2019s X509 verification logic are affected, including direct users of crypto/x509 and any components that depend on it such as crypto/tls.", "description_and_impact": "A weakness in the Go standard library crypto/x509 package allows an attacker to cause excessive CPU and memory usage during certificate chain verification. When a very large list of intermediate certificates is supplied to VerifyOptions.Intermediates, the routine performs more work than intended, potentially hanging or crashing the verifier. The flaw is classified as a resource exhaustion vulnerability (CWE\u2011770).", "risk_and_exploitability": "The CVSS score of 7.5 marks the issue as high severity, while the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. An adversary can trigger the denial of service by delivering a crafted chain of many intermediate certificates during a TLS handshake or by directly invoking the verification function from application code. The impact is limited to availability, but it can disrupt services that perform certificate validation."}}}}, "created": "2026-04-08T19:44:15.131441+00:00", "updated": "2026-04-09T08:28:12.883013+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$crypto/x509"]}