Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceCVE-2026-32952

CVE-2026-32952

MEDIUM5.3

go-ntlmssp NTLM challenges can panic on malformed payloads

Published Apr 24, 2026

Modified 5 days ago

Details

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue.

References

https://github.com/Azure/go-ntlmssp/releases/tag/v0.1.1

https://github.com/Azure/go-ntlmssp/security/advisories/GHSA-pjcq-xvwq-hhpj

https://www.cve.org/CVERecord?id=CVE-2026-32952

CVSS Analysis

CVSS v3.1

5.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

LowA:L

5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weakness Type (CWE)

Other

Ecosystems

Timeline

PublishedApr 24, 2026

ModifiedApr 24, 2026

CVE-2026-32952 | Mondoo Vulnerability Intelligence