Bug 2456338 (CVE-2026-32283)

Summary: CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, akostadi, akoudelk, alcohan, alebedev, alizardo, amasferr, anjoseph, anpicker, ansmith, anthomas, ataylor, bbrownin, bdettelb, bparees, chfoley, ckandaga, cmah, crizzo, csutherl, dbruscin, dhanak, dmayorov, doconnor, drosa, dschmidt, dsimansk, dsoumis, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, ewittman, fdeutsch, ggainey, ggrzybek, gparvin, hasun, ibolton, janstey, jbalunas, jburrell, jcantril, jchui, jclere, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jprabhak, jpretori, jraez, jschluet, juwatts, kingland, kshier, ktsao, kvanderr, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, manissin, mbocek, mburns, mgarciac, mhulan, mnovotny, mrunge, mwringe, nboldt, ngough, nipatil, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, parichar, pcreech, peholase, pgaikwad, pjindal, plodge, psrna, ptisnovs, pvasanth, rchan, rfreiman, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rkubis, rmaucher, rojacob, sakbas, sausingh, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, syedriko, szappis, tasato, teagle, thason, tmalecek, tsedmik, veshanka, vimartin, vkarehfa, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2457798    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-08 02:01:39 UTC 
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Comment 5 errata-xmlrpc 2026-04-23 21:35:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:10217 https://access.redhat.com/errata/RHSA-2026:10217
Comment 6 errata-xmlrpc 2026-04-24 02:33:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:10219 https://access.redhat.com/errata/RHSA-2026:10219
Comment 7 errata-xmlrpc 2026-04-27 02:09:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:10704 https://access.redhat.com/errata/RHSA-2026:10704
Comment 8 errata-xmlrpc 2026-04-29 07:28:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:11507 https://access.redhat.com/errata/RHSA-2026:11507
Comment 9 errata-xmlrpc 2026-04-29 08:02:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:11514 https://access.redhat.com/errata/RHSA-2026:11514
Comment 12 errata-xmlrpc 2026-04-29 13:03:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:11704 https://access.redhat.com/errata/RHSA-2026:11704
Comment 13 errata-xmlrpc 2026-04-29 13:09:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:11712 https://access.redhat.com/errata/RHSA-2026:11712
Comment 14 errata-xmlrpc 2026-04-29 13:27:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:11711 https://access.redhat.com/errata/RHSA-2026:11711
Comment 15 errata-xmlrpc 2026-04-29 17:50:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:11863 https://access.redhat.com/errata/RHSA-2026:11863
Comment 16 errata-xmlrpc 2026-04-29 19:02:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:11881 https://access.redhat.com/errata/RHSA-2026:11881
Comment 19 errata-xmlrpc 2026-05-06 15:29:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:14200 https://access.redhat.com/errata/RHSA-2026:14200
Comment 20 errata-xmlrpc 2026-05-06 21:10:12 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:14391 https://access.redhat.com/errata/RHSA-2026:14391
Comment 21 errata-xmlrpc 2026-05-11 12:17:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:15980 https://access.redhat.com/errata/RHSA-2026:15980
Comment 22 errata-xmlrpc 2026-05-11 16:19:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:16024 https://access.redhat.com/errata/RHSA-2026:16024
Comment 23 errata-xmlrpc 2026-05-11 18:31:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:16021 https://access.redhat.com/errata/RHSA-2026:16021
Comment 24 errata-xmlrpc 2026-05-11 22:43:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:16101 https://access.redhat.com/errata/RHSA-2026:16101
Comment 25 errata-xmlrpc 2026-05-11 22:43:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:16102 https://access.redhat.com/errata/RHSA-2026:16102
Comment 26 errata-xmlrpc 2026-05-13 07:59:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:16875 https://access.redhat.com/errata/RHSA-2026:16875
Comment 27 errata-xmlrpc 2026-05-13 15:05:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:17075 https://access.redhat.com/errata/RHSA-2026:17075
Comment 28 errata-xmlrpc 2026-05-13 15:36:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:17084 https://access.redhat.com/errata/RHSA-2026:17084
Comment 29 errata-xmlrpc 2026-05-13 19:24:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:17287 https://access.redhat.com/errata/RHSA-2026:17287