Description
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patches the issue.
Published: 2026-04-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to crash
Action: Immediate Patch
AI Analysis

Impact

A malformed NTLM challenge can trigger a slice out of bounds panic in the go-ntlmssp package, causing any Go process that uses the ntlmssp.Negotiator HTTP transport to terminate unexpectedly. This flaw results in a denial‑of‑service condition rather than data exposure or remote code execution. The weakness stems from integer bounds checking failures as indicated by CWE‑190.

Affected Systems

The vulnerability affects the Azure go‑ntlmssp library used for NTLM/Negotiate authentication within Go applications. Versions prior to 0.1.1 are impacted; upgrading to 0.1.1 resolves the issue.

Risk and Exploitability

The CVSS score of 5.3 classifies the risk as moderate, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, indicating no documented active exploitation. Attackers would need to deliver a crafted NTLM challenge to a vulnerable service employing this library, which is feasible if NTLM authentication is enabled.

Generated by OpenCVE AI on April 28, 2026 at 07:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Azure go‑ntlmssp library to version 0.1.1 or later.
  • Replace any custom or deprecated usage of the ntlmssp.Negotiator transport with the patched version.
  • If NTLM authentication is not essential, disable it or use an alternative authentication mechanism to eliminate the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 07:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pjcq-xvwq-hhpj go-ntlmssp NTLM challenges can panic on malformed payloads
History

Thu, 21 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft go-ntlmssp
CPEs cpe:2.3:a:microsoft:go-ntlmssp:*:*:*:*:*:go:*:*
Vendors & Products Microsoft
Microsoft go-ntlmssp

Thu, 30 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Azure
Azure go-ntlmssp
Vendors & Products Azure
Azure go-ntlmssp

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patches the issue.
Title go-ntlmssp NTLM challenges can panic on malformed payloads
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Azure Go-ntlmssp
Microsoft Go-ntlmssp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T16:29:28.264Z

Reserved: 2026-03-17T00:05:53.285Z

Link: CVE-2026-32952

cve-icon Vulnrichment

Updated: 2026-04-24T16:29:24.621Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:07.833

Modified: 2026-05-21T18:22:06.247

Link: CVE-2026-32952

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T01:46:31Z

Links: CVE-2026-32952 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:25:25Z

Weaknesses