CVE-2026-32281
Published: 08 April 2026
Summary
CVE-2026-32281 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses this CVE by applying the official Go patch to fix the inefficient certificate chain validation logic.
Denial-of-service protection mitigates resource exhaustion attacks during TLS handshakes by implementing protections at network entry points.
Resource availability controls limit consumption of CPU and memory by processes handling certificate validation to prevent DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables algorithmic complexity DoS by supplying a crafted but trusted certificate chain during TLS validation, directly matching Application or System Exploitation for endpoint availability impact.
NVD Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root…
more
CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Deeper analysisAI
CVE-2026-32281 is a denial-of-service vulnerability in the Go programming language's certificate chain validation logic, published on 2026-04-08. The issue arises during validation of certificate chains that use policies, where certificates containing a very large number of policy mappings cause unexpectedly inefficient processing. This affects only otherwise trusted chains issued by root CAs in the VerifyOptions.Roots CertPool or the system certificate pool, stemming from CWE-295 (Improper Certificate Validation). The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers require no privileges or user interaction to exploit this vulnerability. By presenting a malicious but trusted certificate chain with an excessive number of policy mappings during TLS handshake or validation, an attacker can trigger high resource consumption on the validating Go application, leading to denial of service.
Mitigation details, patches, and advisories are available in official Go resources, including the issue tracker at https://go.dev/issue/78281, the code change at https://go.dev/cl/758061, the Golang announcement group at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU, and the Go vulnerability database entry at https://pkg.go.dev/vuln/GO-2026-4946.
Details
- CWE(s)