CVE-2026-32952: Denial of Service via Slice Panic in Azure go-ntlmssp
Vulnerability ID: CVE-2026-32952
CVSS Score: 5.3
Published: 2026-04-23
The Azure go-ntlmssp package prior to version 0.1.1 contains a denial-of-service vulnerability stemming from improper input validation. Malicious servers can trigger an unrecoverable Go panic by supplying a crafted NTLM Challenge message, terminating the client application process.
TL;DR
A missing bounds check in the NTLM Type 2 message parser of Azure go-ntlmssp allows malicious servers to crash the client application via an out-of-bounds slice panic.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-190
- Attack Vector: Network
- CVSS v3.1 Score: 5.3
- Impact: Denial of Service (Process Crash)
- Exploit Status: Proof of Concept available
- CISA KEV: Not Listed
Affected Systems
- github.com/Azure/go-ntlmssp (Go package)
-
go-ntlmssp: < 0.1.1 (Fixed in:
0.1.1)
Mitigation Strategies
- Update go-ntlmssp dependency to a patched version.
- Implement application-level panic recovery middleware.
- Restrict outbound NTLM authentication to trusted endpoints only.
Remediation Steps:
- Run
go get github.com/Azure/go-ntlmssp@v0.1.1in the project root. - Run
go mod tidyto update dependencies. - Recompile the Go application.
- Deploy the updated binary to affected environments.
References
- GitHub Security Advisory GHSA-pjcq-xvwq-hhpj
- v0.1.1 Release Notes
- CVE.org Record
- NVD Vulnerability Detail
Read the full report for CVE-2026-32952 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)