anonhaven
Ad

CVE-2026-32283

HIGH CVSS 3.1: 7.5 EPSS 0.02%
Updated Apr 16, 2026
Golang
Parameter Value
CVSS 7.5 (HIGH)
Affected Versions 1.26.0 — 1.26.2
Fixed In 1.25.9
Type CWE-770 (Allocation Without Limits)
Vendor Golang
Public PoC No

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-770 Allocation Without Limits

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.25.9
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.26.0 1.26.2

References 4

https://go.dev/cl/763767
security@golang.org
https://go.dev/issue/78334
security@golang.org
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
security@golang.org
https://pkg.go.dev/vuln/GO-2026-4870
security@golang.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33810

Golang

8.2

CVE-2026-32289

Go Standard Library

6.1

CVE-2026-32288

Go Standard Library

5.5

CVE-2026-32282

Golang

6.4

CVE-2026-32281

Golang

7.5