{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32281", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.556Z", "datePublished": "2026-04-08T01:06:58.354Z", "dateUpdated": "2026-04-08T01:06:58.354Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:58.354Z"}, "title": "Inefficient policy validation in crypto/x509", "descriptions": [{"lang": "en", "value": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/x509", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "policiesValid"}, {"name": "Certificate.Verify"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity"}]}], "references": [{"url": "https://go.dev/cl/758061"}, {"url": "https://go.dev/issue/78281"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4946"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."}], "id": "CVE-2026-32281", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T02:16:03.350", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/758061"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78281"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4946"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T02:22:06.874654+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Go release that contains the patch (see the advisory at https://pkg.go.dev/vuln/GO-2026-4946).", "If an immediate upgrade is impossible, disable policy mapping in certificate verification or apply a custom VerifyFunc that limits policy mapping count.", "Monitor TLS handshakes for unusually high CPU usage and alert on extended verification times.", "Verify that only trusted root CAs are in VerifyOptions.Roots CertPool and avoid adding certificates with excessive policy mappings."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected systems are any Go applications that use the standard library\u2019s certificate validation routine with policy mapping enabled. This includes servers, HTTP clients, gRPC services, and any other Go\u2011based software that calls cert.Verify with VerifyOptions.Roots CertPool or the system certificate pool. The CVE does not specify the exact Go version, but it impacts all releases prior to the fix referenced in the advisory.", "description_and_impact": "The vulnerability occurs in the Go standard library\u2019s crypto/x509 package during validation of policy\u2011mapped certificate chains. When a chain contains a very large number of policy mappings, the validation algorithm becomes unexpectedly slow, consuming excessive CPU cycles. An attacker who can supply such a chain\u2014such as through a malicious server or a crafted client certificate\u2014can trigger this inefficiency and cause a denial of service that affects the process performing the validation. The weakness is a resource exhaustion condition attributable to policy handling (CWE\u2011770).", "risk_and_exploitability": "The CVSS score is not provided and EPSS data is unavailable, but the attack surface is remote: an attacker can supply a malicious certificate chain over TLS or other certificate\u2011driven protocols. The exploit requires no special privileges and only targets processes that perform chain verification. Because the flaw is not on the CISA KEV list, it is not currently known to be exploited in the wild. Until an official patch is applied, the risk remains for any service that validates large policy\u2011mapped chains."}}}}, "created": "2026-04-08T19:44:16.330263+00:00", "updated": "2026-04-08T19:44:16.330316+00:00", "vendors": [], "weaknesses": ["CWE-770"]}