Skip to main content

Red Hat CVE-2026-32281

| EUVDEUVD-2026-20010 HIGH
Improper Certificate Validation (CWE-295)
2026-04-08 Go
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 16, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:25 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
7.5 (HIGH)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20010
CVE Published
Apr 08, 2026 - 01:06 nvd
N/A

DescriptionCVE.org

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

AnalysisAI

Algorithmic complexity denial of service in Go's crypto/x509 library allows remote attackers to cause resource exhaustion via certificate chains containing excessive policy mappings. Affects Go versions <1.25.9 and 1.26.0-1.26.1. Attack requires no authentication (CVSS AV:N/PR:N) but targets only otherwise-trusted certificate chains from roots in the system or configured trust store. EPSS score 0.01% indicates minimal observed exploitation probability. No active exploitation confirmed (not in CI

Technical ContextAI

This vulnerability resides in Go's crypto/x509 package, the standard library component responsible for X.509 certificate parsing and validation. The issue stems from inefficient algorithmic handling of policy mapping extensions (RFC 5280 section 4.2.1.5), which allow certificate authorities to map policies between domains in certification chains. When a certificate contains an abnormally large number of policy mappings, the validation process exhibits superlinear time complexity, causing CPU exhaustion. Policy mappings are rarely used in practice, making this a niche attack surface. The vulnerable code path is only triggered during validation of chains that anchor to a trusted root in VerifyOptions.Roots or the system certificate pool, meaning the attacker must possess a legitimately-issued certificate from a trusted CA to exploit this flaw-not a typical attacker-controlled scenario. CPE cpe:2.3:a:go_standard_library:crypto/x509 identifies the affected component across all Go-dependent applications using the standard library for TLS/certificate operations.

RemediationAI

Upgrade the Go toolchain to version 1.25.9 or 1.26.2 or later, then recompile all affected applications. The fix is implemented in upstream commit https://go.dev/cl/758061 addressing issue https://go.dev/issue/78281. Organizations should inventory all Go-based services performing certificate validation, prioritizing internet-facing TLS endpoints and mutual TLS authentication systems. Update build pipelines and CI/CD systems to use patched Go versions to prevent reintroduction. For environments unable to immediately upgrade, consider rate limiting or request timeouts on TLS handshake operations as a partial workaround, though this does not address the root cause. No configuration-based mitigation exists since the flaw is in core validation logic. Refer to the official announcement at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU for additional vendor guidance and the vulnerability database entry at https://pkg.go.dev/vuln/GO-2026-4946 for affected version ranges.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

CVE-2026-32281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy