Denial of Service Vulnerability in Go's Crypto/X509 and Crypto/TLS
CVE-2026-32280

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/x509
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-32280?

A flaw in the Go programming language's crypto/x509 and crypto/tls libraries allows for denial of service during chain building processes. This issue arises when an excessive number of intermediate certificates are supplied, leading to insufficient work limitation in VerifyOptions.Intermediates. This could impact users relying on these libraries for secure communications, exposing them to significant downtimes.

Affected Version(s)

crypto/x509 0 < 1.25.9

crypto/x509 1.26.0-0 < 1.26.2

References

https://go.dev/cl/758320

https://go.dev/issue/78282

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Jakub Ciolek - https://ciolek.dev

CVE-2026-32280 Data

JSON