TLS Connection Deadlock Vulnerability in Go Programming Language
CVE-2026-32283

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Crypto/tls
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-32283?

A vulnerability exists in the Go programming language related to TLS 1.3, where sending multiple key update messages in a single record after the handshake can cause the connection to deadlock. This results in uncontrolled resource consumption, potentially leading to denial of service conditions. Developers using Go's TLS functionality should be aware of this issue to prevent service interruptions.

Affected Version(s)

crypto/tls 0 < 1.25.9

crypto/tls 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763767

https://go.dev/issue/78334

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Jakub Ciolek - https://ciolek.dev/

CVE-2026-32283 Data

JSON