anonhaven
Ad

CVE-2026-32280

HIGH CVSS 3.1: 7.5 EPSS 0.02%
Updated Apr 16, 2026
Golang
Parameter Value
CVSS 7.5 (HIGH)
Affected Versions 1.26.0 — 1.26.2
Fixed In 1.25.9
Type CWE-770 (Allocation Without Limits)
Vendor Golang
Public PoC No

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-770 Allocation Without Limits

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.25.9
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.26.0 1.26.2

References 4

https://go.dev/cl/758320
security@golang.org
https://go.dev/issue/78282
security@golang.org
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
security@golang.org
https://pkg.go.dev/vuln/GO-2026-4947
security@golang.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33810

Golang

8.2

CVE-2026-32289

Go Standard Library

6.1

CVE-2026-32288

Go Standard Library

5.5

CVE-2026-32283

Golang

7.5

CVE-2026-32282

Golang

6.4