Denial of Service Vulnerability in Go's Certificate Chain Validation
CVE-2026-32281

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/x509
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-32281?

A vulnerability exists in Go's certificate chain validation process that can lead to denial of service. This issue arises when validating certificate chains that contain an excessive number of policy mappings, resulting in inefficient processing. The vulnerability affects trusted certificate chains that are either part of the VerifyOptions.Roots CertPool or included in the system certificate pool. If an attacker exploits this inefficiency, it could cause system instability and service interruptions.

Affected Version(s)

crypto/x509 0 < 1.25.9

crypto/x509 1.26.0-0 < 1.26.2

References

https://go.dev/cl/758061

https://go.dev/issue/78281

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Jakub Ciolek - https://ciolek.dev

CVE-2026-32281 Data

JSON