{"id":"GO-2026-4870","summary":"Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls","details":"If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.\n\nThis only affects TLS 1.3.","aliases":["CVE-2026-32283"],"modified":"2026-04-08T01:15:28.922954Z","published":"2026-04-07T22:53:49Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4870"},"references":[{"type":"FIX","url":"https://go.dev/cl/763767"},{"type":"REPORT","url":"https://go.dev/issue/78334"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.9"},{"introduced":"1.26.0-0"},{"fixed":"1.26.2"}]}],"ecosystem_specific":{"imports":[{"path":"crypto/tls","symbols":["Conn.Handshake","Conn.HandshakeContext","Conn.Read","Conn.Write","Conn.handleKeyUpdate","Dial","DialWithDialer","Dialer.Dial","Dialer.DialContext","QUICConn.HandleData","QUICConn.Start","clientHandshakeStateTLS13.establishHandshakeKeys","clientHandshakeStateTLS13.readServerFinished","serverHandshakeStateTLS13.readClientFinished","serverHandshakeStateTLS13.sendServerParameters"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4870.json"}}],"schema_version":"1.7.5","credits":[{"name":"Jakub Ciolek - https://ciolek.dev/"}]}