Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via certificate chain policy processing
Action: Update Library
AI Analysis

Impact

This vulnerability causes inefficient processing of certificate chains that contain a large number of policy mappings during validation by Go's crypto/x509 library. The excessive computational effort can consume CPU and memory resources, potentially leading to denial of service in applications that trust the chain. The weakness aligns with CWE‑1050, an inefficient algorithm, and also maps to CWE‑295.

Affected Systems

The affected component is the Go standard library package crypto/x509 used for certificate chain verification. Any Go application that validates certificates against trusted roots, either through VerifyOptions.Roots or the system certificate pool, is impacted regardless of application type. The issue is present in all Go releases that include the vulnerable implementation; specific version numbers are not listed in the advisory.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability poses a moderate to high risk. The EPSS score is below 1%, suggesting current exploitation is unlikely, and it is not listed in the CISA KEV catalog. Attackers would need to supply a crafted certificate chain containing an unusually high number of policy mappings to a target application using the standard library for trusted validation. If successful, the attacker could cause elevated resource consumption and service interruption. No official patch is mentioned, so upgrading to a Go release that contains the fix is the best approach.

Generated by OpenCVE AI on April 17, 2026 at 09:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Go release that addresses the crypto/x509 policy validation inefficiency
  • Verify that the application still validates certificates correctly after the upgrade
  • Monitor the application for CPU or memory spikes that could indicate denial‑of‑service attempts
  • If an upgrade cannot be performed immediately, consider limiting the number of policy mappings in trusted chains or disabling policy validation for trusted certificates, understanding that this may affect compliance

Generated by OpenCVE AI on April 17, 2026 at 09:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses CWE-295
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library crypto/x509
Weaknesses CWE-770
Vendors & Products Go Standard Library
Go Standard Library crypto/x509

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Title Inefficient policy validation in crypto/x509
References

Subscriptions

Go Standard Library Crypto/x509
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-13T18:19:44.779Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32281

cve-icon Vulnrichment

Updated: 2026-04-13T17:52:33.394Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T02:16:03.350

Modified: 2026-04-16T19:15:57.750

Link: CVE-2026-32281

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-08T01:06:58Z

Links: CVE-2026-32281 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T09:30:14Z

Weaknesses