CVE-2026-32283

Summary

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Affected Software

VendorProductVersion RangeStatus
Go standard librarycrypto/tls0 < 1.25.9affected
Go standard librarycrypto/tls1.26.0-0 < 1.26.2affected

Weaknesses

  • CWE-667: Improper Locking

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

Additional References

References