CVE-2026-32280
Published: 08 April 2026
Summary
CVE-2026-32280 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in Go's crypto/x509 package by applying vendor patches directly prevents unbounded computation during certificate chain building with excessive intermediates.
Denial-of-service protection mechanisms directly mitigate resource exhaustion attacks triggered by large numbers of intermediate certificates in TLS or x509 verification.
Resource availability controls prevent denial of service by enforcing limits on computational resources during certificate validation processes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote DoS via unbounded computation in TLS/x509 chain validation on public-facing Go services (T1190) and directly supports application exploitation to exhaust endpoint resources (T1499.004).
NVD Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509…
more
and users of crypto/tls.
Deeper analysisAI
CVE-2026-32280 is a denial-of-service vulnerability in the Go programming language's crypto/x509 package, stemming from inadequate limits on computational work during certificate chain building. Specifically, when a large number of intermediate certificates are provided via VerifyOptions.Intermediates, the process performs excessive operations without proper bounds, exhausting resources. This issue affects both direct users of the crypto/x509 package and applications leveraging crypto/tls, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability was published on 2026-04-08.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by supplying a TLS handshake or x509 verification request containing an excessively large set of intermediate certificates. This triggers unbounded computation during chain validation, leading to high availability impact through resource exhaustion, such as CPU consumption, potentially causing the affected Go application to become unresponsive or crash.
The Go security team has issued guidance via GO-2026-4947, with a fix available in change list 758320 addressing Go issue 78282, as announced on the golang-announce mailing list. Practitioners should update to patched versions of Go incorporating this change and review applications using crypto/x509 or crypto/tls for exposure.
Details
- CWE(s)