CVE-2026-32283
published 2026-04-08CVE-2026-32283: If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.62%
45.3th percentile
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Affected
115 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| 3scale-amp26 | 3scale-operator | — | — |
| 3scale-amp26 | operator | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| amq7 | amq-broker-rhel9-operator | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| ansible-automation-platform | platform-operator-bundle | — | — |
| apicurio | apicurio-registry-rhel8-operator | — | — |
| apicurio | apicurio-registry-rhel9-operator | — | — |
| build-of-trustee | trustee-rhel9-operator | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-selinuxd-rhel8 | — | — |
| confidential-containers | trustee | — | — |
| container-native-virtualization | virt-api | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | containernetworking-plugins | — | — |
| container-tools_rhel8 | podman | — | — |
| container-tools_rhel8 | runc | — | — |
| container-tools_rhel8 | skopeo | — | — |
| container-tools_rhel8 | toolbox | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
crypto-tls up to 1.25.8/1.26.1 on Go Update Message locking (Nessus ID 305650 / WID-SEC-2026-1006)
vuldb·2026-05-04·CVSS 7.5
CVE-2026-32283 [HIGH] crypto-tls up to 1.25.8/1.26.1 on Go Update Message locking (Nessus ID 305650 / WID-SEC-2026-1006)
A vulnerability was found in crypto-tls up to 1.25.8/1.26.1 on Go. It has been declared as problematic. This affects an unknown part of the component Update Message Handler. Executing a manipulation can lead to improper locking.
The identification of this vulnerability is CVE-2026-32283. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
ghsa·2026-04-14·CVSS 7.5
[HIGH] CWE-1395 OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
### Impact
Unauthenticated denial of service.
### Summary
When installing module packages from attacker-controlled sources, `tofu init` may use unbounded memory, cause high CPU usage, or deadlock when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnera
GHSA
GHSA-jrg3-gfjw-hm96: If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrol
ghsa_unreviewed·2026-04-08
CVE-2026-32283 GHSA-jrg3-gfjw-hm96: If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrol
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
OSV
CVE-2026-32283: If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrol
osv·2026-04-08·CVSS 7.5
CVE-2026-32283 [HIGH] CVE-2026-32283: If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrol
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
OSV
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
osv·2026-04-07
CVE-2026-32283 Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
Red Hat
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
vendor_redhat·2026-04-08·CVSS 7.5
CVE-2026-32283 [HIGH] CWE-764 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).
Package: rhai/assisted-installer-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Affected
Package: openshift-builds/openshift-builds-waiters-rhel9 (Builds for Red Hat OpenShift) - Affected
Package: cert-manager/jetstack-cert-manager-rhel9 (cert-manager Operator for Red Hat OpenShift)
Debian
CVE-2026-32283: golang-1.15 - If one side of the TLS connection sends multiple key update messages post-handsh...
vendor_debian·2026·CVSS 7.5
CVE-2026-32283 [HIGH] CVE-2026-32283: golang-1.15 - If one side of the TLS connection sends multiple key update messages post-handsh...
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-27144 [HIGH] CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27144 :
Golang vulnerability analysis and mitigation
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-race
go-toolset
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 202
Wiz
CVE-2026-32283 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-32283 [MEDIUM] CVE-2026-32283 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32283 :
Golang vulnerability analysis and mitigation
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.15
golang-1.19
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Linux
Wiz
CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27140 :
Golang vulnerability analysis and mitigation
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.19
golang-1.24
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Linux Has Fix Added at: Apr 09, 2026
Windows Has Fix Added at: Apr 09, 2026
## Get a CVE
Wiz
CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32280 [HIGH] CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32280 :
Golang vulnerability analysis and mitigation
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.15
golang-1.19
Sources
NVD
Debian 11, 12, 13 Severity HIGH No Fix Added at: Apr 09, 2026
Wiz
CVE-2026-33810 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-33810 [MEDIUM] CVE-2026-33810 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33810 :
Golang vulnerability analysis and mitigation
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:golang:go
golang-1.26
Sources
NVD
Debian 14 Has Fix Adde
Wiz
CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27143 [CRITICAL] CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27143 :
Golang vulnerability analysis and mitigation
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.24
golang-1.25
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Red Hat 8, 9, 10 Severity MED
Bugzilla
CVE-2026-32283 golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages [fedora-all]
bugzilla·2026-04-13·CVSS 7.5
CVE-2026-32283 [HIGH] CVE-2026-32283 golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages [fedora-all]
CVE-2026-32283 golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
bugzilla·2026-04-08·CVSS 7.5
CVE-2026-32283 [HIGH] CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:10217 https://access.redhat.com/errata/RHSA-2026:10217
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:10219 https://access.redhat.com/errata/RHSA-2026:10219
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:10704 ht
https://go.dev/cl/763767https://go.dev/issue/78334https://groups.google.com/g/golang-announce/c/0uYbvbPZRWUhttps://pkg.go.dev/vuln/GO-2026-4870https://access.redhat.com/errata/RHSA-2026:10217https://access.redhat.com/errata/RHSA-2026:10219https://access.redhat.com/errata/RHSA-2026:10704https://access.redhat.com/errata/RHSA-2026:11507https://access.redhat.com/errata/RHSA-2026:11514https://access.redhat.com/errata/RHSA-2026:11704https://access.redhat.com/errata/RHSA-2026:11711https://access.redhat.com/errata/RHSA-2026:11712https://access.redhat.com/errata/RHSA-2026:11863https://access.redhat.com/errata/RHSA-2026:11881https://access.redhat.com/errata/RHSA-2026:14162https://access.redhat.com/errata/RHSA-2026:14200https://access.redhat.com/errata/RHSA-2026:14391https://access.redhat.com/errata/RHSA-2026:15980https://access.redhat.com/errata/RHSA-2026:16021https://access.redhat.com/errata/RHSA-2026:16024https://access.redhat.com/errata/RHSA-2026:16101https://access.redhat.com/errata/RHSA-2026:16102https://access.redhat.com/errata/RHSA-2026:16875https://access.redhat.com/errata/RHSA-2026:17075https://access.redhat.com/errata/RHSA-2026:17084https://access.redhat.com/errata/RHSA-2026:17287https://access.redhat.com/errata/RHSA-2026:18027https://access.redhat.com/errata/RHSA-2026:18032https://access.redhat.com/errata/RHSA-2026:19126https://access.redhat.com/errata/RHSA-2026:19132https://access.redhat.com/errata/RHSA-2026:19133https://access.redhat.com/errata/RHSA-2026:19134https://access.redhat.com/errata/RHSA-2026:19135https://access.redhat.com/errata/RHSA-2026:19136https://access.redhat.com/errata/RHSA-2026:19137https://access.redhat.com/errata/RHSA-2026:19139https://access.redhat.com/errata/RHSA-2026:19144https://access.redhat.com/errata/RHSA-2026:19156https://access.redhat.com/errata/RHSA-2026:19350https://access.redhat.com/errata/RHSA-2026:19351https://access.redhat.com/errata/RHSA-2026:19352https://access.redhat.com/errata/RHSA-2026:19353https://access.redhat.com/errata/RHSA-2026:19369https://access.redhat.com/errata/RHSA-2026:19450https://access.redhat.com/errata/RHSA-2026:19550https://access.redhat.com/errata/RHSA-2026:19634https://access.redhat.com/errata/RHSA-2026:19714https://access.redhat.com/errata/RHSA-2026:19715https://access.redhat.com/errata/RHSA-2026:19719https://access.redhat.com/errata/RHSA-2026:19720https://access.redhat.com/errata/RHSA-2026:19721https://access.redhat.com/errata/RHSA-2026:19722https://access.redhat.com/errata/RHSA-2026:19750https://access.redhat.com/errata/RHSA-2026:19839https://access.redhat.com/errata/RHSA-2026:20556https://access.redhat.com/errata/RHSA-2026:20569https://access.redhat.com/errata/RHSA-2026:20570https://access.redhat.com/errata/RHSA-2026:20571https://access.redhat.com/errata/RHSA-2026:20607https://access.redhat.com/errata/RHSA-2026:20608https://access.redhat.com/errata/RHSA-2026:20609https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:22423https://access.redhat.com/errata/RHSA-2026:22450https://access.redhat.com/errata/RHSA-2026:22485https://access.redhat.com/errata/RHSA-2026:22709https://access.redhat.com/errata/RHSA-2026:22713https://access.redhat.com/errata/RHSA-2026:22714https://access.redhat.com/errata/RHSA-2026:22937https://access.redhat.com/errata/RHSA-2026:23102https://access.redhat.com/errata/RHSA-2026:23103https://access.redhat.com/errata/RHSA-2026:23228https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/errata/RHSA-2026:24337https://access.redhat.com/errata/RHSA-2026:24470https://access.redhat.com/errata/RHSA-2026:24761https://access.redhat.com/errata/RHSA-2026:24762https://access.redhat.com/errata/RHSA-2026:26447https://access.redhat.com/errata/RHSA-2026:26571https://access.redhat.com/errata/RHSA-2026:26636https://access.redhat.com/errata/RHSA-2026:27076https://access.redhat.com/errata/RHSA-2026:28038https://access.redhat.com/errata/RHSA-2026:28047https://access.redhat.com/errata/RHSA-2026:28074https://access.redhat.com/errata/RHSA-2026:29035https://access.redhat.com/errata/RHSA-2026:29195https://access.redhat.com/errata/RHSA-2026:29455https://access.redhat.com/errata/RHSA-2026:29703https://access.redhat.com/errata/RHSA-2026:7291https://access.redhat.com/errata/RHSA-2026:7385https://access.redhat.com/security/cve/CVE-2026-32283https://bugzilla.redhat.com/show_bug.cgi?id=2456338https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32283.json
2026-04-08
Published