Skip to main content

Crypto Tls

2 CVEs product

Monthly

CVE-2026-42505 Go MEDIUM PATCH This Month

Passive network de-anonymization of Encrypted Client Hello (ECH) connections is possible in Go's crypto/tls library because pre-shared key (PSK) identities are exposed in cleartext outer ClientHello messages, allowing any on-path observer to correlate resumption sessions and identify servers despite ECH's intended privacy protections. Affected versions span crypto/tls prior to 1.25.12, 1.26.5, and 1.27.0-rc.2 across the Go standard library. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; however, exploitation requires no authentication or user interaction and is accessible to any network-level adversary with passive traffic visibility.

Information Disclosure Crypto Tls
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-32283 Go HIGH PATCH This Week

Deadlock in Go's crypto/tls library (versions <1.25.9 and 1.26.0-1.26.1) allows remote unauthenticated attackers to trigger denial of service via multiple TLS 1.3 post-handshake key update messages sent in a single record. CVSS 7.5 (High) with network attack vector and low complexity, but EPSS score of 0.01% (0th percentile) indicates minimal real-world exploitation probability. Vendor-released patches available in Go 1.25.9 and 1.26.2, with no public exploit code identified at time of analysis.

Denial Of Service Crypto Tls
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Passive network de-anonymization of Encrypted Client Hello (ECH) connections is possible in Go's crypto/tls library because pre-shared key (PSK) identities are exposed in cleartext outer ClientHello messages, allowing any on-path observer to correlate resumption sessions and identify servers despite ECH's intended privacy protections. Affected versions span crypto/tls prior to 1.25.12, 1.26.5, and 1.27.0-rc.2 across the Go standard library. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; however, exploitation requires no authentication or user interaction and is accessible to any network-level adversary with passive traffic visibility.

Information Disclosure Crypto Tls
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Deadlock in Go's crypto/tls library (versions <1.25.9 and 1.26.0-1.26.1) allows remote unauthenticated attackers to trigger denial of service via multiple TLS 1.3 post-handshake key update messages sent in a single record. CVSS 7.5 (High) with network attack vector and low complexity, but EPSS score of 0.01% (0th percentile) indicates minimal real-world exploitation probability. Vendor-released patches available in Go 1.25.9 and 1.26.2, with no public exploit code identified at time of analysis.

Denial Of Service Crypto Tls
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy