Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Affected Products

Vendor	Product	Versions
tls working	tls	0, 1.26.0-0, 1.25.8, 1.26.1

References

Related News (2 articles)

Tier C

oss-security1d ago

Go 1.26.2 and Go 1.25.9 are released with 10 security fixes

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-32283 | crypto-tls up to 1.25.8/1.26.1 on Go Update Message locking

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.91.26.2

CWECWE-664

PublishedApr 8, 2026

Last enriched2d agov2

Community Vote

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated affected versions, severity to HIGH, marked as actively exploited, and added CWE-664 and MITRE ATT&CK technique T1203.

affectedVersionsseverityactivelyExploitedcweIdsmitreAttacktags

via VulDB

v12d ago

Initial creation