Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A weakness in the Go standard library crypto/x509 package allows an attacker to cause excessive CPU and memory usage during certificate chain verification. When a very large list of intermediate certificates is supplied to VerifyOptions.Intermediates, the routine performs more work than intended, potentially hanging or crashing the verifier. The flaw is classified as a resource exhaustion vulnerability (CWE‑770).

Affected Systems

All Go programs that use the standard library’s X509 verification logic are affected, including direct users of crypto/x509 and any components that depend on it such as crypto/tls.

Risk and Exploitability

The CVSS score of 7.5 marks the issue as high severity, while the EPSS score of less than 1 % indicates a low likelihood of exploitation. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. An adversary can trigger the denial of service by delivering a crafted chain of many intermediate certificates during a TLS handshake or by directly invoking the verification function from application code. The impact is limited to availability, but it can disrupt services that perform certificate validation.

Generated by OpenCVE AI on April 8, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your Go installation to the latest release that includes the fix for this vulnerability
  • Verify that any TLS or X509 operations in your application use the updated library
  • Test your application with a large number of intermediate certificates to confirm the issue is resolved

Generated by OpenCVE AI on April 8, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 16 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library crypto/x509
Vendors & Products Go Standard Library
Go Standard Library crypto/x509

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Title Unexpected work during chain building in crypto/x509
References

Subscriptions

Go Standard Library Crypto/x509
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-08T17:46:47.347Z

Reserved: 2026-03-11T16:38:46.555Z

Link: CVE-2026-32280

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T02:16:03.247

Modified: 2026-04-16T19:16:42.180

Link: CVE-2026-32280

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-08T01:06:58Z

Links: CVE-2026-32280 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:28:12Z

Weaknesses