Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
TLS 1.3 Connections Can Be Bricked by Malicious Key Updates
DEBIAN-CVE-2026-32283
Summary
If you're using TLS 1.3, an attacker can potentially crash your server or connection by sending multiple key updates at once. This could lead to a denial of service, where your server becomes unresponsive. To protect yourself, consider updating to a newer version of TLS or implementing additional security measures to handle key updates properly.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | golang-1.15 | All versions | – |
| debian | golang-1.19 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.25 | All versions | – |
| debian | golang-1.26 | All versions | – |
Original title
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to ...
Original description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
- https://security-tracker.debian.org/tracker/CVE-2026-32283 Vendor Advisory
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026