{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32280", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.555Z", "datePublished": "2026-04-08T01:06:58.595Z", "dateUpdated": "2026-04-08T17:46:47.347Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:58.595Z"}, "title": "Unexpected work during chain building in crypto/x509", "descriptions": [{"lang": "en", "value": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls."}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/x509", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Certificate.buildChains"}, {"name": "Certificate.Verify"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "references": [{"url": "https://go.dev/cl/758320"}, {"url": "https://go.dev/issue/78282"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4947"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T17:46:14.569488Z", "id": "CVE-2026-32280", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T17:46:47.347Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls."}], "id": "CVE-2026-32280", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T02:16:03.247", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/758320"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78282"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4947"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "crypto/x509", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-08T21:36:29.656801+00:00", "value": {"mitigation_remediation": ["Upgrade your Go installation to the latest release that includes the fix for this vulnerability", "Verify that any TLS or X509 operations in your application use the updated library", "Test your application with a large number of intermediate certificates to confirm the issue is resolved"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Go programs that use the standard library\u2019s X509 verification logic are affected, including direct users of crypto/x509 and any components that depend on it such as crypto/tls.", "description_and_impact": "A weakness in the Go standard library crypto/x509 package allows an attacker to cause excessive CPU and memory usage during certificate chain verification. When a very large list of intermediate certificates is supplied to VerifyOptions.Intermediates, the routine performs more work than intended, potentially hanging or crashing the verifier. The flaw is classified as a resource exhaustion vulnerability (CWE\u2011770).", "risk_and_exploitability": "The CVSS score of 7.5 marks the issue as high severity, while the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. An adversary can trigger the denial of service by delivering a crafted chain of many intermediate certificates during a TLS handshake or by directly invoking the verification function from application code. The impact is limited to availability, but it can disrupt services that perform certificate validation."}}}}, "created": "2026-04-08T19:44:15.131441+00:00", "updated": "2026-04-09T08:28:12.883013+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$crypto/x509"]}