TLS Connection Deadlock Vulnerability in Go Programming Language
CVE-2026-32283

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/tls
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-32283?

A vulnerability exists in the Go programming language related to TLS 1.3, where sending multiple key update messages in a single record after the handshake can cause the connection to deadlock. This results in uncontrolled resource consumption, potentially leading to denial of service conditions. Developers using Go's TLS functionality should be aware of this issue to prevent service interruptions.

Affected Version(s)

crypto/tls 0 < 1.25.9

crypto/tls 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763767

https://go.dev/issue/78334

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Jakub Ciolek - https://ciolek.dev/

CVE-2026-32283 Data

JSON