Go Crypto Vulnerability CVE-2026-32280: Certificate Chain Processing Flaw Risks Denial of Service

A newly disclosed vulnerability in Go's core cryptographic libraries creates a denial-of-service risk for a wide range of applications. The flaw, tracked as CVE-2026-32280, resides in how the `crypto/x509` and `crypto/tls` packages process certificate chains. Specifically, during chain building, the system fails to correctly limit computational work when a large number of intermediate certificates are supplied via `VerifyOptions.Intermediates`. This unchecked processing can allow an attacker to exhaust server resources by presenting a maliciously crafted chain, leading to a service outage.

The vulnerability is confirmed to affect multiple active branches of the Go programming language, including `release-1.17`, `release-1.16`, and the `main` development branch. This broad scope indicates the issue is not confined to a single, outdated version but is present in current and recent releases. The finding was surfaced through automated code scanning (CodeQL scan ID 2335) within the Kyverno project's security advisory, highlighting how modern security tooling is uncovering latent risks in foundational infrastructure code.

The implications are significant for any service built with Go that handles TLS connections or X.509 certificate validation—a category encompassing web servers, APIs, microservices, and cloud-native tooling. While the exact exploit path requires an attacker to supply a chain with many intermediates, the potential for resource exhaustion poses a tangible operational threat. Developers and security teams must monitor for official patches from the Go project. Until a fix is deployed, the risk of service disruption from this certificate processing flaw remains active.