CVE-2026-32280

Summary

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected Software

VendorProductVersion RangeStatus
Go standard librarycrypto/x5090 < 1.25.9affected
Go standard librarycrypto/x5091.26.0-0 < 1.26.2affected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building

Additional References

References