CVE-2023-29409

MEDIUM

GO < 1.19.12 - Denial of Service

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-29409. PoCs published by mateusz834.

AI-analyzed exploit summary This PoC demonstrates a CPU exhaustion vulnerability in Go's TLS implementation (CVE-2023-29409) by using a maliciously crafted RSA key with a large modulus during TLS handshakes. The exploit triggers high CPU usage on both client and server sides due to inefficient signature verification.

Description

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

Exploits (1)

nomisec WORKING POC 1 stars
by mateusz834 · poc
https://github.com/mateusz834/CVE-2023-29409

This PoC demonstrates a CPU exhaustion vulnerability in Go's TLS implementation (CVE-2023-29409) by using a maliciously crafted RSA key with a large modulus during TLS handshakes. The exploit triggers high CPU usage on both client and server sides due to inefficient signature verification.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Go TLS implementation (crypto/tls)
No auth needed
Prerequisites: Go environment · OpenSSL for certificate generation · Network access to target
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 5.3
EPSS 0.0133
EPSS Percentile 67.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (2)
golang/go 1.21.0 rc1 (3 CPE variants)
golang/go < 1.19.12
Published Aug 02, 2023
Tracked Since Feb 18, 2026