GO-2026-4870
- Source
- https://pkg.go.dev/vuln/GO-2026-4870
- Import Source
- https://vuln.go.dev/ID/GO-2026-4870.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2026-4870
- Aliases
-
- CVE-2026-32283
- Published
- 2026-04-07T22:53:49Z
- Modified
- 2026-04-08T01:15:28.922954Z
- Summary
- Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
- Details
-
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2026-4870" }- References
- Credits
-
-
- Jakub Ciolek - https://ciolek.dev/
-
Affected packages
Go / stdlib
Package
- Name
- stdlib
- View open source insights on deps.dev
- Purl
- pkg:golang/stdlib
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.25.9Introduced1.26.0-0Fixed1.26.2
Ecosystem specific
{
"imports": [
{
"path": "crypto/tls",
"symbols": [
"Conn.Handshake",
"Conn.HandshakeContext",
"Conn.Read",
"Conn.Write",
"Conn.handleKeyUpdate",
"Dial",
"DialWithDialer",
"Dialer.Dial",
"Dialer.DialContext",
"QUICConn.HandleData",
"QUICConn.Start",
"clientHandshakeStateTLS13.establishHandshakeKeys",
"clientHandshakeStateTLS13.readServerFinished",
"serverHandshakeStateTLS13.readClientFinished",
"serverHandshakeStateTLS13.sendServerParameters"
]
}
]
}