anonhaven
Ad

CVE-2026-32281

HIGH CVSS 3.1: 7.5 EPSS 0.02%
Updated Apr 16, 2026
Golang
Parameter Value
CVSS 7.5 (HIGH)
Affected Versions 1.26.0 — 1.26.2
Fixed In 1.25.9
Type CWE-295 (Improper Certificate Validation)
Vendor Golang
Public PoC No

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-295 Improper Certificate Validation

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.25.9
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.26.0 1.26.2

References 4

https://go.dev/cl/758061
security@golang.org
https://go.dev/issue/78281
security@golang.org
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
security@golang.org
https://pkg.go.dev/vuln/GO-2026-4946
security@golang.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33810

Golang

8.2

CVE-2026-32289

Go Standard Library

6.1

CVE-2026-32288

Go Standard Library

5.5

CVE-2026-32283

Golang

7.5

CVE-2026-32282

Golang

6.4