CVE-2026-32280
published 2026-04-08CVE-2026-32280: During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.61%
44.9th percentile
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Affected
112 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| 3scale-amp26 | 3scale-operator | — | — |
| 3scale-amp26 | operator | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| ansible-automation-platform | platform-operator-bundle | — | — |
| build-of-trustee | trustee-rhel9-operator | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| cnv4 | openshift-golang-builder | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-selinuxd-rhel8 | — | — |
| confidential-containers | trustee | — | — |
| container-native-virtualization | virt-api | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | containernetworking-plugins | — | — |
| container-tools_rhel8 | podman | — | — |
| container-tools_rhel8 | runc | — | — |
| container-tools_rhel8 | skopeo | — | — |
| container-tools_rhel8 | toolbox | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| custom-metrics-autoscaler | custom-metrics-autoscaler-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
ghsa·2026-04-14·CVSS 7.5
[HIGH] CWE-1395 OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
### Impact
Unauthenticated denial of service.
### Summary
When installing module packages from attacker-controlled sources, `tofu init` may use unbounded memory, cause high CPU usage, or deadlock when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnera
VulDB
crypto-x509 up to 1.25.8/1.26.1 on Go Certificate allocation of resources (Nessus ID 305615 / WID-SEC-2026-1006)
vuldb·2026-04-13·CVSS 7.5
CVE-2026-32280 [HIGH] crypto-x509 up to 1.25.8/1.26.1 on Go Certificate allocation of resources (Nessus ID 305615 / WID-SEC-2026-1006)
A vulnerability was found in crypto-x509 up to 1.25.8/1.26.1 on Go and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Certificate Handler. Such manipulation leads to allocation of resources.
This vulnerability is uniquely identified as CVE-2026-32280. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
GHSA-m4pr-4j3g-9v7v: During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyO
ghsa_unreviewed·2026-04-08
CVE-2026-32280 [HIGH] CWE-770 GHSA-m4pr-4j3g-9v7v: During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyO
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
OSV
CVE-2026-32280: During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyO
osv·2026-04-08·CVSS 7.5
CVE-2026-32280 [HIGH] CVE-2026-32280: During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyO
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
OSV
Unexpected work during chain building in crypto/x509
osv·2026-04-07
CVE-2026-32280 Unexpected work during chain building in crypto/x509
Unexpected work during chain building in crypto/x509
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Red Hat
crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
vendor_redhat·2026-04-08·CVSS 7.5
CVE-2026-32280 [HIGH] CWE-770 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
Package: rhai/assisted-installer-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Affected
Package: openshift-builds/openshift-builds-waiters-rhel9 (Builds for Red Hat OpenShift) - Affected
Package: cert-manager/jetstack-cert-manage
Debian
CVE-2026-32280: golang-1.15 - During chain building, the amount of work that is done is not correctly limited ...
vendor_debian·2026·CVSS 7.5
CVE-2026-32280 [HIGH] CVE-2026-32280: golang-1.15 - During chain building, the amount of work that is done is not correctly limited ...
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32280 [HIGH] CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32280 :
Golang vulnerability analysis and mitigation
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.15
golang-1.19
Sources
NVD
Debian 11, 12, 13 Severity HIGH No Fix Added at: Apr 09, 2026
Bugzilla
CVE-2026-32280 golang: Go: Denial of Service vulnerability in certificate chain building [fedora-all]
bugzilla·2026-04-13·CVSS 7.5
CVE-2026-32280 [HIGH] CVE-2026-32280 golang: Go: Denial of Service vulnerability in certificate chain building [fedora-all]
CVE-2026-32280 golang: Go: Denial of Service vulnerability in certificate chain building [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-32280 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
bugzilla·2026-04-08·CVSS 7.5
CVE-2026-32280 [HIGH] CVE-2026-32280 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
CVE-2026-32280 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
https://go.dev/cl/758320https://go.dev/issue/78282https://groups.google.com/g/golang-announce/c/0uYbvbPZRWUhttps://pkg.go.dev/vuln/GO-2026-4947https://access.redhat.com/errata/RHSA-2026:10217https://access.redhat.com/errata/RHSA-2026:10219https://access.redhat.com/errata/RHSA-2026:10704https://access.redhat.com/errata/RHSA-2026:11507https://access.redhat.com/errata/RHSA-2026:11514https://access.redhat.com/errata/RHSA-2026:11688https://access.redhat.com/errata/RHSA-2026:13545https://access.redhat.com/errata/RHSA-2026:13791https://access.redhat.com/errata/RHSA-2026:13826https://access.redhat.com/errata/RHSA-2026:13829https://access.redhat.com/errata/RHSA-2026:14020https://access.redhat.com/errata/RHSA-2026:14162https://access.redhat.com/errata/RHSA-2026:14200https://access.redhat.com/errata/RHSA-2026:14391https://access.redhat.com/errata/RHSA-2026:15980https://access.redhat.com/errata/RHSA-2026:16021https://access.redhat.com/errata/RHSA-2026:16024https://access.redhat.com/errata/RHSA-2026:16101https://access.redhat.com/errata/RHSA-2026:16476https://access.redhat.com/errata/RHSA-2026:16477https://access.redhat.com/errata/RHSA-2026:16505https://access.redhat.com/errata/RHSA-2026:16508https://access.redhat.com/errata/RHSA-2026:16532https://access.redhat.com/errata/RHSA-2026:16534https://access.redhat.com/errata/RHSA-2026:16535https://access.redhat.com/errata/RHSA-2026:16537https://access.redhat.com/errata/RHSA-2026:16542https://access.redhat.com/errata/RHSA-2026:16874https://access.redhat.com/errata/RHSA-2026:16875https://access.redhat.com/errata/RHSA-2026:17084https://access.redhat.com/errata/RHSA-2026:17287https://access.redhat.com/errata/RHSA-2026:18027https://access.redhat.com/errata/RHSA-2026:18032https://access.redhat.com/errata/RHSA-2026:19133https://access.redhat.com/errata/RHSA-2026:19135https://access.redhat.com/errata/RHSA-2026:19144https://access.redhat.com/errata/RHSA-2026:19350https://access.redhat.com/errata/RHSA-2026:19353https://access.redhat.com/errata/RHSA-2026:19375https://access.redhat.com/errata/RHSA-2026:19450https://access.redhat.com/errata/RHSA-2026:19550https://access.redhat.com/errata/RHSA-2026:19634https://access.redhat.com/errata/RHSA-2026:19714https://access.redhat.com/errata/RHSA-2026:19715https://access.redhat.com/errata/RHSA-2026:19719https://access.redhat.com/errata/RHSA-2026:19720https://access.redhat.com/errata/RHSA-2026:19721https://access.redhat.com/errata/RHSA-2026:19722https://access.redhat.com/errata/RHSA-2026:19750https://access.redhat.com/errata/RHSA-2026:19839https://access.redhat.com/errata/RHSA-2026:20556https://access.redhat.com/errata/RHSA-2026:20569https://access.redhat.com/errata/RHSA-2026:20570https://access.redhat.com/errata/RHSA-2026:20571https://access.redhat.com/errata/RHSA-2026:20607https://access.redhat.com/errata/RHSA-2026:20608https://access.redhat.com/errata/RHSA-2026:20609https://access.redhat.com/errata/RHSA-2026:20889https://access.redhat.com/errata/RHSA-2026:21017https://access.redhat.com/errata/RHSA-2026:21338https://access.redhat.com/errata/RHSA-2026:21655https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/errata/RHSA-2026:22130https://access.redhat.com/errata/RHSA-2026:22141https://access.redhat.com/errata/RHSA-2026:22258https://access.redhat.com/errata/RHSA-2026:22260https://access.redhat.com/errata/RHSA-2026:22268https://access.redhat.com/errata/RHSA-2026:22309https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:22415https://access.redhat.com/errata/RHSA-2026:22422https://access.redhat.com/errata/RHSA-2026:22465https://access.redhat.com/errata/RHSA-2026:22485https://access.redhat.com/errata/RHSA-2026:22709https://access.redhat.com/errata/RHSA-2026:22713https://access.redhat.com/errata/RHSA-2026:22840https://access.redhat.com/errata/RHSA-2026:22862https://access.redhat.com/errata/RHSA-2026:22958https://access.redhat.com/errata/RHSA-2026:22959https://access.redhat.com/errata/RHSA-2026:22960https://access.redhat.com/errata/RHSA-2026:22961https://access.redhat.com/errata/RHSA-2026:22962https://access.redhat.com/errata/RHSA-2026:23102https://access.redhat.com/errata/RHSA-2026:23103https://access.redhat.com/errata/RHSA-2026:23244https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/errata/RHSA-2026:23361https://access.redhat.com/errata/RHSA-2026:24337https://access.redhat.com/errata/RHSA-2026:24359https://access.redhat.com/errata/RHSA-2026:24470https://access.redhat.com/errata/RHSA-2026:24478https://access.redhat.com/errata/RHSA-2026:24716https://access.redhat.com/errata/RHSA-2026:24761https://access.redhat.com/errata/RHSA-2026:24762https://access.redhat.com/errata/RHSA-2026:24853
+ 26 more references
2026-04-08
Published