Cyber Resilience

CVE-2026-32280

HighDDoS

Published: 08 April 2026

Published
08 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32280 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-32280 is a denial-of-service vulnerability in the Go programming language's crypto/x509 package, stemming from inadequate limits on computational work during certificate chain building. Specifically, when a large number of intermediate certificates are provided via VerifyOptions.Intermediates, the process performs excessive operations without proper bounds, exhausting resources. This issue affects both direct users of the crypto/x509 package and applications leveraging crypto/tls, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability was published on 2026-04-08.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by supplying a TLS handshake or x509 verification request containing an excessively large set of intermediate certificates. This triggers unbounded computation during chain validation, leading to high availability impact through resource exhaustion, such as CPU consumption, potentially causing the affected Go application to become unresponsive or crash.

The Go security team has issued guidance via GO-2026-4947, with a fix available in change list 758320 addressing Go issue 78282, as announced on the golang-announce mailing list. Practitioners should update to patched versions of Go incorporating this change and review applications using crypto/x509 or crypto/tls for exposure.

EU & UK References

Vulnerability details

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509…

more

and users of crypto/tls.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote DoS via unbounded computation in TLS/x509 chain validation on public-facing Go services (T1190) and directly supports application exploitation to exhaust endpoint resources (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-61726Same product: Golang Go
CVE-2026-32283Same product: Golang Go
CVE-2026-25679Same product: Golang Go
CVE-2026-27137Same product: Golang Go
CVE-2026-32281Same product: Golang Go
CVE-2025-68121Same product: Golang Go
CVE-2026-27143Same product: Golang Go
CVE-2026-27144Same product: Golang Go
CVE-2025-61731Same product: Golang Go
CVE-2026-27140Same product: Golang Go

Affected Assets

golang
go
≤ 1.25.9 · 1.26.0 — 1.26.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in Go's crypto/x509 package by applying vendor patches directly prevents unbounded computation during certificate chain building with excessive intermediates.

preventdetect

Denial-of-service protection mechanisms directly mitigate resource exhaustion attacks triggered by large numbers of intermediate certificates in TLS or x509 verification.

prevent

Resource availability controls prevent denial of service by enforcing limits on computational resources during certificate validation processes.

References