—

CVE-2026-32283EXPLOITEDPATCHED

go standard library · crypto/tls

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Affected Products

Vendor	Product	Versions
go standard library	crypto/tls	0, 1.26.0-0, 1.25.8, 1.26.1

References

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-32283 | crypto-tls up to 1.25.8/1.26.1 on Go Update Message locking

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.91.26.2

CWECWE-664

PublishedApr 8, 2026

Last enriched4h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33810EXP

Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509

Trending: 49

HIGHCVE-2026-32289EXP

JsBraceDepth Context Tracking Bugs (XSS) in html/template

Trending: 46

HIGHCVE-2026-32288EXP

Unbounded allocation for old GNU sparse in archive/tar

Trending: 46

HIGHCVE-2026-32281EXP

Inefficient policy validation in crypto/x509

Trending: 46

CRITICALCVE-2026-32282

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Trending: 30

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Actively Exploited

Apr 8, 2026

Patch Available

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Updated: affectedVersions, severity, activelyExploited, cweIds, mitreAttack, tags

Apr 8, 2026

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions, severity to HIGH, marked as actively exploited, and added CWE-664 and MITRE ATT&CK technique T1203.

affectedVersionsseverityactivelyExploitedcweIdsmitreAttacktags

via VulDB

v18h ago

Initial creation