If one side of the TLS connection sends multiple key update messages
post-handshake in a single record, the connection can deadlock, causing
uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.
This is CVE-2026-32283 and Go issue https://go.dev/issue/78334.
This is a PRIVATE issue for CVE-2026-32283, tracked in http://b/489152979 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3881.
/cc @golang/security and @golang/release
If one side of the TLS connection sends multiple key update messages
post-handshake in a single record, the connection can deadlock, causing
uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.
This is CVE-2026-32283 and Go issue https://go.dev/issue/78334.
This is a PRIVATE issue for CVE-2026-32283, tracked in http://b/489152979 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3881.
/cc @golang/security and @golang/release