CVE-2026-32281
published 2026-04-08CVE-2026-32281: Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.35%
26.8th percentile
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.19 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.24 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.25 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.26 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| github.com | opentofu_opentofu | >= 0 < 1.11.6 | 1.11.6 |
| go_standard_library | crypto_x509 | < 1.25.9 | 1.25.9 |
| go_standard_library | crypto_x509 | >= 1.26.0-0 < 1.26.2 | 1.26.2 |
| golang | go | < 1.25.9 | 1.25.9 |
| golang | go | >= 1.26.0 < 1.26.2 | 1.26.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
ghsa·2026-04-14·CVSS 7.5
[HIGH] CWE-1395 OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
### Impact
Unauthenticated denial of service.
### Summary
When installing module packages from attacker-controlled sources, `tofu init` may use unbounded memory, cause high CPU usage, or deadlock when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnera
VulDB
crypto-x509 up to 1.25.8/1.26.1 on Go Certificate algorithmic complexity (Nessus ID 305623 / WID-SEC-2026-1006)
vuldb·2026-04-13·CVSS 7.5
CVE-2026-32281 [HIGH] crypto-x509 up to 1.25.8/1.26.1 on Go Certificate algorithmic complexity (Nessus ID 305623 / WID-SEC-2026-1006)
A vulnerability, which was classified as problematic, was found in crypto-x509 up to 1.25.8/1.26.1 on Go. This impacts an unknown function of the component Certificate Handler. The manipulation results in inefficient algorithmic complexity.
This vulnerability is known as CVE-2026-32281. It is possible to launch the attack remotely. No exploit is available.
You should upgrade the affected component.
OSV
CVE-2026-32281: Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mapp
osv·2026-04-08·CVSS 7.5
CVE-2026-32281 [HIGH] CVE-2026-32281: Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mapp
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
GHSA
GHSA-gjvh-7jh8-7xhm: Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mapp
ghsa_unreviewed·2026-04-08
CVE-2026-32281 GHSA-gjvh-7jh8-7xhm: Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mapp
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
OSV
Inefficient policy validation in crypto/x509
osv·2026-04-07
CVE-2026-32281 Inefficient policy validation in crypto/x509
Inefficient policy validation in crypto/x509
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Red Hat
crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
vendor_redhat·2026-04-08·CVSS 7.5
CVE-2026-32281 [HIGH] CWE-1050 crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: redhat-user-workloads/appliance (Assisted Installer for Red Hat OpenShift Container Pl
Debian
CVE-2026-32281: golang-1.15 - Validating certificate chains which use policies is unexpectedly inefficient whe...
vendor_debian·2026·CVSS 7.5
CVE-2026-32281 [HIGH] CVE-2026-32281: golang-1.15 - Validating certificate chains which use policies is unexpectedly inefficient whe...
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-32281 crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
bugzilla·2026-04-08·CVSS 7.5
CVE-2026-32281 [HIGH] CVE-2026-32281 crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
CVE-2026-32281 crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Bugzilla
CVE-2026-32281 golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation [fedora-all]
bugzilla·2026-04-08·CVSS 7.5
CVE-2026-32281 [HIGH] CVE-2026-32281 golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation [fedora-all]
CVE-2026-32281 golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Wiz
CVE-2026-32281 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32281 [MEDIUM] CVE-2026-32281 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32281 :
Grafana vulnerability analysis and mitigation
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
go-toolset:rhel8::golang-tests
grafana-mssql
Sources
NVD
Debian
Wiz
CVE-2026-32288 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32288 [MEDIUM] CVE-2026-32288 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32288 :
Grafana vulnerability analysis and mitigation
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-postgres
golang-1.26
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Red Hat 8, 9, 10 Severity MEDIUM No Fix Added at: Apr 09, 2026
Wiz
CVE-2026-32289 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32289 [MEDIUM] CVE-2026-32289 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32289 :
Grafana vulnerability analysis and mitigation
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages
Wiz
CVE-2026-32282 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32282 [MEDIUM] CVE-2026-32282 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32282 :
Grafana vulnerability analysis and mitigation
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
2026-04-08
Published