CVE-2026-32283
TLS 1.3 Key Update Deadlock Causes Denial of Service
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.9 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32283 is a vulnerability in the Go standard library's crypto/tls package that affects TLS 1.3 connections. It occurs when one side of a TLS connection sends multiple key update messages after the handshake phase within a single record. This causes the connection to deadlock, which leads to uncontrolled consumption of resources.
How can this vulnerability impact me? :
The vulnerability can cause the TLS connection to deadlock, resulting in uncontrolled resource consumption. This can lead to a denial of service (DoS) condition, where the affected system or application becomes unresponsive or unable to handle legitimate requests.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Go programming language to a fixed version that addresses the issue.
- Upgrade to Go version 1.25.9 or later if you are using a 1.25.x release.
- If using Go 1.26.0-0 up to but not including 1.26.2, upgrade to at least 1.26.2 or later.
These updates include the fix for the deadlock caused by multiple key update messages in TLS 1.3 connections, preventing uncontrolled resource consumption and denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.