Azure/go-ntlmssp, Slice Out of Bounds, CVE-2026-29053 (Moderate)

Listen to this Post

The vulnerability is exploited during the processing of a maliciously crafted NTLM (NT LAN Manager) Type 2 message, also known as the CHALLENGE_MESSAGE. The `go-ntlmssp` library, when acting as an NTLM negotiator in an HTTP transport, fails to validate the length of the `TargetInfo` field within the received challenge.
The library reads the `TargetInfo` field as a sequence of `AV_PAIR` structures, which consist of an `AvId` (2 bytes) and a `Length` (2 bytes) followed by a value. The parser iterates through these pairs. This parsing routine lacks sufficient bounds checking when processing the length value to read the subsequent data.
As a result, if an attacker sends an NTLM challenge where the length of the `TargetInfo` field does not match the sum of the lengths of its constituent parts (e.g., a truncated `AV_PAIR` where the `Length` field points beyond the remaining data), the program will attempt to read from an invalid slice index. This triggers a `slice bounds out of range` panic in the Go runtime, causing the process to crash. The crash can lead to a denial-of-service (DoS) condition, effectively bringing down any Go application that relies on this library for NTLM authentication.
The panic occurs precisely in the function that decodes the `TargetInfo` data, as the loop does not check the `offset + length` against the actual bounds of the byte slice. The attack requires the ability to send a malformed HTTP response containing the malicious NTLM challenge to a client using the vulnerable library, making it a network-based, remote attack.

DailyCVE Form:

Platform: Go library
Version: All pre-patch
Vulnerability : Slice OOB
Severity: Moderate
date: Apr 23, 2026
Prediction: Apr 24, 2026

Analytics under What Undecode Say:

Bash commands:

Check if your go.mod is using a vulnerable version
grep "github.com/Azure/go-ntlmssp" go.mod
Verify the version in the current module cache
go list -m -u all | grep "github.com/Azure/go-ntlmssp"

Code Snippet of Vulnerable Logic:

// Vulnerable parsing loop (simplified)
func parseTargetInfo(data []byte) {
var avPairs []AVPair
offset := 0
for offset < len(data) {
id := binary.LittleEndian.Uint16(data[offset:offset+2])
length := binary.LittleEndian.Uint16(data[offset+2:offset+4])
// No check for offset+4+length <= len(data) – leads to panic
value := data[offset+4 : offset+4+int(length)]
avPairs = append(avPairs, AVPair{AvId: id, Value: value})
offset += 4 + int(length)
}
}

Exploit:

An attacker can send an HTTP response containing a crafted `WWW-Authenticate: NTLM` header with a Base64-encoded Type 2 message. The `TargetInfo` field in this message is structured to have a length that overruns the buffer, e.g., an `AvId` of `0x0005` (‘MsvAvNbComputerName’) with a `Length` of `20` when only `10` bytes are actually present in the payload. This causes the slice read to go out of bounds, panicking the goroutine.

Protection from this CVE:

  • Upgrade: Immediately update to the patched version of `github.com/Azure/go-ntlmssp` (commit hash not yet known). Check for a new release in the GitHub repository.
  • Workaround: If patching is not immediately possible, avoid using the `Negotiator` as an `http.RoundTripper` for untrusted HTTP endpoints. Validate all incoming NTLM challenge messages before passing them to the library, though this is not recommended.

Impact:

A remote, unauthenticated attacker can cause a denial-of-service (DoS) condition by crashing any Go application that processes NTLM authentication using the vulnerable library. This can be exploited by sending a single malicious HTTP response, leading to service disruption and potential cascading failures in high-availability environments.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top