CVE-2026-32952

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-32952
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-32952.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-32952
Aliases
Downstream
Related
Published
2026-04-24T01:46:31.573Z
Modified
2026-04-25T04:21:29.177824Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
go-ntlmssp NTLM challenges can panic on malformed payloads
Details

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-190"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32952.json"
}
References

Affected packages

Git / github.com/azure/go-ntlmssp

Affected ranges

Type
GIT
Repo
https://github.com/azure/go-ntlmssp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bd8579c18d41bf5d91a5f74b1117c958f635b866
Database specific 
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.1"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.1.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-32952.json"