CVE-2026-32952 Common Vulnerabilities and Exposures

Upstream information

CVE-2026-32952 at MITRE

Description

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patches the issue.

SUSE information

Overall state of this security issue: Does not affect SUSE products

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`cmctl >= 2.5.0-1.1` `cmctl-bash-completion >= 2.5.0-1.1` `cmctl-fish-completion >= 2.5.0-1.1` `cmctl-zsh-completion >= 2.5.0-1.1` `rclone >= 1.74.0-1.1` `rclone-bash-completion >= 1.74.0-1.1` `rclone-zsh-completion >= 1.74.0-1.1`	Patchnames: openSUSE-Tumbleweed-2026-10672 openSUSE-Tumbleweed-2026-10682

SUSE Timeline for this CVE

CVE page created: Fri Apr 24 06:00:57 2026
CVE page last modified: Fri May 8 12:08:54 2026