CVE-2026-32280Allocation of Resources Without Limits or Throttling in Standard Library Crypto X509

CWE-770Allocation of Resources Without Limits or Throttling9 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 94.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library Crypto X509
Timeline
PublishedApr 8
Latest updateApr 13

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5go_standard_library/crypto_x5091.26.0-01.26.2+1

🔴Vulnerability Details

5
VulDB
crypto-x509 up to 1.25.8/1.26.1 on Go Certificate allocation of resources (Nessus ID 305615 / WID-SEC-2026-1006)2026-04-13
GHSA
GHSA-m4pr-4j3g-9v7v: During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyO2026-04-08
OSV
CVE-2026-32280: During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyO2026-04-08
CVEList
Unexpected work during chain building in crypto/x5092026-04-08
OSV
Unexpected work during chain building in crypto/x5092026-04-07

📋Vendor Advisories

1
Debian
CVE-2026-32280: golang-1.15 - During chain building, the amount of work that is done is not correctly limited ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-32280 golang: Go: Denial of Service vulnerability in certificate chain building [fedora-all]2026-04-13
CVE-2026-32280 — HIGH severity | cvebase