CVE-2026-32280: Critical Go TLS Chain Verification Flaw Threatens Denial-of-Service Attacks

A critical vulnerability in the Go programming language's TLS certificate verification process, designated CVE-2026-32280, creates a direct path to resource exhaustion and denial-of-service attacks. The flaw resides in the `crypto/x509` package, where the chain-building logic fails to correctly limit computational work when processing a large number of intermediate certificates supplied via `VerifyOptions.Intermediates`. This allows a maliciously crafted certificate chain to trigger excessive CPU consumption, potentially crippling services that rely on Go's TLS stack for secure communications.

The vulnerability is actively tracked within the World Federation of Advertisers' Cross-Media Measurement project on GitHub, where an automated code-scanning alert (#5962) has been raised. The issue stems from the nightly build `refs/tags/nightly/20260420.1`, indicating it was detected in recent development code. The core failure is a missing or incorrect bound on the work performed during path validation, turning a standard cryptographic operation into a vector for computational resource exhaustion.

This flaw places a wide range of networked services written in Go at potential risk, including web servers, APIs, microservices, and any application performing TLS client or server authentication. While the exact exploitability depends on an attacker's ability to supply malicious certificates, the vulnerability's presence in a fundamental security library warrants immediate scrutiny for development and security teams. The public CVE entry and active GitHub tracking signal that patches or mitigations are required to prevent this denial-of-service vector from being weaponized.