Inefficient policy validation in crypto/x509

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected Products

Vendor	Product	Versions
go standard library	crypto/x509	0, 1.26.0-0, 1.25.8, 1.26.1

References

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-32281 | crypto-x509 up to 1.25.8/1.26.1 on Go Certificate algorithmic complexity

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.91.26.2

PublishedApr 8, 2026

Last enriched2d agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated affected versions to include 1.25.8 and 1.26.1, changed severity to HIGH, marked as actively exploited, and noted that no exploit is available.

affectedVersionsseverityactivelyExploitedtags

via VulDB

v12d ago

Initial creation

Inefficient policy validation in crypto/x509

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History