Skip to main content

Crypto X509 EUVDEUVD-2026-20008

| CVE-2026-32280 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-08 Go
7.5
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 19:22 vuln.today
cvss_changed
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20008
Analysis Generated
Apr 08, 2026 - 01:45 vuln.today
CVE Published
Apr 08, 2026 - 01:06 nvd
HIGH 7.5

DescriptionCVE.org

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

AnalysisAI

Denial of service in Go's crypto/x509 chain builder allows remote attackers to exhaust server resources by submitting a large number of intermediate certificates during TLS handshake or direct certificate verification. Affects crypto/x509 versions prior to 1.25.9 and 1.26.0-1.26.1. No public exploit identified at time of analysis, though SSVC assessment indicates the attack is automatable. EPSS exploitation probability is minimal (0.01%), suggesting low observed attacker interest despite the network-accessible attack surface and lack of authentication requirements.

Technical ContextAI

The Go standard library's crypto/x509 package implements X.509 certificate chain building and validation, a critical component for TLS/SSL certificate verification. When validating a certificate chain, the library attempts to build a trust path from the presented certificate to a trusted root by evaluating intermediate certificates. The vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) stems from insufficient computational limits during this chain-building process when processing certificates provided in VerifyOptions.Intermediates. An attacker can exploit this by presenting an excessive number of intermediate certificates, forcing the chain builder into exponential or polynomial time complexity operations without adequate resource bounds. This affects both direct API consumers calling crypto/x509 verification functions and indirect users relying on crypto/tls for HTTPS/TLS connections, as TLS handshakes invoke certificate chain validation internally.

RemediationAI

Upgrade to Go version 1.25.9 or later for the 1.25.x series, or Go version 1.26.2 or later for the 1.26.x series, as documented in the vendor security announcement at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU. The fix implementation is available in code review https://go.dev/cl/758320 and addresses the resource allocation issue by imposing proper computational limits during certificate chain building. After upgrading the Go toolchain, recompile and redeploy all affected applications to incorporate the patched crypto/x509 library, as Go binaries statically link the standard library. For environments where immediate patching is infeasible, implement network-level rate limiting or TLS termination at a hardened reverse proxy to reduce exposure, though these workarounds do not eliminate risk for direct crypto/x509 API usage. Validate the fix using the vulnerability database entry at https://pkg.go.dev/vuln/GO-2026-4947 and verify deployed Go version using 'go version' on production binaries.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2026-20008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy