CVE-2026-32283 — Standard Library Crypto TLS vulnerability
8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 94.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 8
Latest updateApr 13
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages1 packages
🔴Vulnerability Details
4CVEList▶
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls↗2026-04-08
GHSA▶
GHSA-jrg3-gfjw-hm96: If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrol↗2026-04-08
OSV▶
CVE-2026-32283: If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrol↗2026-04-08
OSV▶
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls↗2026-04-07
📋Vendor Advisories
1Debian▶
CVE-2026-32283: golang-1.15 - If one side of the TLS connection sends multiple key update messages post-handsh...↗2026
🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-32283 golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages [fedora-all]↗2026-04-13