Inefficient policy validation in crypto/x509

GO-2026-4946 · BIT-golang-2026-32281 · CVE-2026-32281

Published Apr 7, 2026 · Modified Jun 9, 2026

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

References

FIX https://go.dev/cl/758061
REPORT https://go.dev/issue/78281
WEB https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes