CVE-2026-32952Integer Overflow or Wraparound in Go-ntlmssp

CWE-190Integer Overflow or Wraparound4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 82.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
109
Azure Go-ntlmsspGithub.com Azure Go-ntlmsspAnsible-automation-platform-24 Aap-must-gather-rhel8+106 more
Timeline
PublishedApr 24

Description

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patches the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages109 packages

CVEListV5azure/go-ntlmssp< 0.1.1
Red Hatgrafana/grafana
Red Hatquay/quay-rhel8
Red Hatquay/quay-rhel9

🔴Vulnerability Details

1
GHSA
go-ntlmssp NTLM challenges can panic on malformed payloads2026-04-23

📋Vendor Advisories

1
Red Hat
go-ntlmssp: go-ntlmssp: Denial of Service via malicious NTLM challenge2026-04-24

💬Community

1
Bugzilla
CVE-2026-32952 go-ntlmssp: go-ntlmssp: Denial of Service via malicious NTLM challenge2026-04-24
CVE-2026-32952 — Integer Overflow or Wraparound | cvebase