Primary

Context

Go RSA and DSA Public Key Parser Size Limit Vulnerability Leading to Denial-of-Service

Vulnerability

Patched

A vulnerability exists in the RSA and DSA public key parsers of the Go programming language's cryptography package. The parsers did not properly enforce size limits on key parameters, allowing for the possibility of a crafted public key with an excessively large modulus or DSA parameter. This could lead to several minutes of CPU consumption during signature verification. The issue could be exploited by unauthenticated clients during public key authentication. In response to this vulnerability, RSA moduli are now restricted to 8192 bits, and DSA parameters are validated according to FIPS 186-2 standards.

Impact

Exploitation of this vulnerability can cause significant CPU consumption, leading to a denial-of-service condition where the server becomes unresponsive due to the excessive processing load.

Remediation

Users can update to Go version v0.52.0 or later, where this vulnerability has been addressed.

Added: May 22, 2026, 4:34 AM

Updated: May 22, 2026, 4:34 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

5.3

remediation

7.7

relevance

8.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

5.3

remediation

7.7

relevance

8.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go RSA and DSA Public Key Parser Size Limit Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

Go

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating