Zero Day MonitorZDM

← Back to list

—

CVE-2026-32280PATCHED

go standard library · crypto/x509

Unexpected work during chain building in crypto/x509

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected Products

Vendor	Product	Versions
go standard library	crypto/x509	0, 1.26.0-0, 1.25.8, 1.26.1

References

https://go.dev/cl/758320
https://go.dev/issue/78282
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4947

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-32280 | crypto-x509 up to 1.25.8/1.26.1 on Go Certificate allocation of resources

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.25.91.26.2

PublishedApr 8, 2026

Last enriched2h agov2

Tags

CVE-2026-32280

Trending Score28

Source articles2

Independent1

Info Completeness7/14

Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33810EXP

Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509

HIGHCVE-2026-32288EXP

Unbounded allocation for old GNU sparse in archive/tar

HIGHCVE-2026-32289EXP

JsBraceDepth Context Tracking Bugs (XSS) in html/template

HIGHCVE-2026-32283EXP

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

HIGHCVE-2026-32281EXP

Inefficient policy validation in crypto/x509

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Patch Available

Apr 8, 2026

Updated: affectedVersions, severity, tags

Apr 8, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated affected versions to include 1.25.8 and 1.26.1, changed severity to HIGH, and noted that no exploit exists.

affectedVersionsseveritytags

via VulDB

v16h ago

Initial creation