Skip to main content

Crypto Tls EUVDEUVD-2026-20014

| CVE-2026-32283 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-08 Go GHSA-jrg3-gfjw-hm96
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 16, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:25 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
7.5 (HIGH)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20014
CVE Published
Apr 08, 2026 - 01:06 nvd
N/A

DescriptionNVD

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

AnalysisAI

Deadlock in Go's crypto/tls library (versions <1.25.9 and 1.26.0-1.26.1) allows remote unauthenticated attackers to trigger denial of service via multiple TLS 1.3 post-handshake key update messages sent in a single record. CVSS 7.5 (High) with network attack vector and low complexity, but EPSS score of 0.01% (0th percentile) indicates minimal real-world exploitation probability. Vendor-released patches available in Go 1.25.9 and 1.26.2, with no public exploit code identified at time of analysis.

Technical ContextAI

This vulnerability affects the Go standard library's crypto/tls implementation, specifically the handling of TLS 1.3 post-handshake key update messages as defined in RFC 8446. In TLS 1.3, KeyUpdate messages allow either peer to request cryptographic key material refresh without full renegotiation. The Go crypto/tls package fails to properly handle scenarios where an attacker sends multiple KeyUpdate messages bundled within a single TLS record (rather than separate records). This triggers a deadlock condition in the connection state machine, causing the TLS session to hang indefinitely and consume resources (CPU cycles, memory buffers, goroutines) without releasing them. The flaw is specific to TLS 1.3's post-handshake messaging mechanism and does not affect TLS 1.2 or earlier protocols, which lack this key update feature. The affected CPE (cpe:2.3:a:go_standard_library:crypto/tls) indicates any Go application using the standard library's TLS implementation for server or client operations with TLS 1.3 enabled is potentially vulnerable.

RemediationAI

Upgrade to Go version 1.25.9 or 1.26.2 or later, which contain the fix implemented in code review https://go.dev/cl/763767. Recompile all affected applications with the patched Go toolchain to ensure the crypto/tls library remediation is incorporated into binary artifacts. The official Go security announcement at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU provides release notes and migration guidance. If immediate upgrade is not feasible, temporary workaround options include disabling TLS 1.3 protocol support (forcing TLS 1.2 via MaxVersion configuration in tls.Config) or implementing connection timeouts and resource limits to mitigate deadlock impact, though these reduce functionality and security posture. Organizations should prioritize the upgrade path over workarounds given the straightforward remediation and availability of stable patched releases.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2026-20014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy