CVE-2026-32952 Azure CVE debrief

Who should care

Teams that use go-ntlmssp for NTLM/Negotiate authentication over HTTP, especially if their applications process NTLM challenges from untrusted or externally reachable servers. This also matters for operators of Go services where a process crash would affect availability.

Technical summary

The vulnerability is described as a panic triggered by a crafted NTLM challenge message in go-ntlmssp versions prior to 0.1.1. NVD maps the issue to CWE-190 and rates it CVSS 3.1 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating remote, unauthenticated impact limited to availability. The affected usage pattern called out in the record is ntlmssp.Negotiator used as an HTTP transport.

Defensive priority

Medium. Upgrade promptly if your systems use go-ntlmssp and can receive untrusted NTLM challenge messages, because the issue can crash the process. Prioritize faster remediation for internet-facing or high-availability services.

Recommended defensive actions

• Upgrade go-ntlmssp to version 0.1.1 or later.
• Inventory Go services that use ntlmssp.Negotiator as an HTTP transport.
• Assess whether any deployments can receive NTLM challenges from untrusted or externally controlled peers.
• Treat process crashes in affected services as a security-relevant availability risk and monitor for restart loops or repeated failures.
• Use the project advisory and release notes to confirm the fixed version in your dependency management workflow.

Evidence notes

The supplied NVD record lists the vulnerable version range as all versions before 0.1.1 and cites CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L with weakness CWE-190. The GitHub release notes for v0.1.1 and the vendor advisory both reference the fix. Publication date used here is the CVE publishedAt timestamp provided in the source corpus (2026-04-24T03:16:07.833Z).

Official resources