Fluid Attacks Database

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
go	stdlib	>=0 <1.25.9	1.25.9
debian 14	golang-1.25	=1.25.0-1 \|\| =1.25.0-2 \|\| =1.25.1-1 \|\| =1.25.2-1 \|\| =1.25.3-1 \|\| =1.25.6-1 \|\| =1.25.7-1 \|\| =1.25.7-2 \|\| =1.25.8-1 \|\| >=0 <1.25.9-1	1.25.9-1
rpm rhel8	containernetworking-plugins	-	-
rpm rhel10	delve	<0:1.26.1-2.el10_2	0:1.26.1-2.el10_2
rpm rhel9	grafana-pcp	-	-
rpm rhel10	gvisor-tap-vsock	-	-
rpm rhel9	gvisor-tap-vsock	-	-
rpm rhel7	host-metering	-	-
rpm rhel8	podman	-	-

1-10 of 86

Aliases

1. CVE-2026-322802. NVD-2026-322803. OSV-DEBIAN-2026-322804. OSV-2026-322805. OSV-GO-2026-49476. GCVE-2026-322807. SECURITY-TRACKER-CVE-2026-32280

References

1. https://go.dev/cl/7583202. https://go.dev/issue/782823. https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.