CVE-2026-32283
Published: 08 April 2026
Summary
CVE-2026-32283 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation through upgrading to patched Go versions directly eliminates the TLS 1.3 key update deadlock vulnerability in crypto/tls.
Information input validation rejects malformed TLS records containing multiple post-handshake key updates, preventing the triggering deadlock.
Denial-of-service protection mechanisms limit the effects of resource exhaustion from crafted TLS 1.3 connections causing deadlocks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote DoS via crafted TLS 1.3 key update record causing deadlock/resource exhaustion in Go crypto/tls; directly matches T1499.004 (Application or System Exploitation) for endpoint DoS through vulnerability trigger (not flood-based T1498 variants).
NVD Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Deeper analysisAI
CVE-2026-32283 is a denial-of-service vulnerability in the Go crypto/tls package. It occurs when one side of a TLS 1.3 connection sends multiple key update messages post-handshake within a single record, triggering a deadlock that leads to uncontrolled resource consumption. The issue is scored at CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling). It exclusively affects TLS 1.3 implementations using the vulnerable Go crypto/tls code.
An unauthenticated remote attacker can exploit this by establishing a TLS 1.3 connection and transmitting a specially crafted record containing multiple key update messages after the handshake. This causes the affected peer to enter a deadlock state, exhausting CPU and memory resources, resulting in denial of service. Exploitation requires no user interaction or privileges and can target any Go application acting as a TLS server or client relying on the crypto/tls package for TLS 1.3.
Go advisories detail the fix in https://go.dev/cl/763767 and the issue tracker at https://go.dev/issue/78334, with an announcement on the golang-announce mailing list at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU. The vulnerability is tracked as GO-2026-4870 at https://pkg.go.dev/vuln/GO-2026-4870, recommending upgrades to patched Go versions that reject invalid multi-key-update records.
Details
- CWE(s)