🟠 High | Source: Microsoft Security Response Center
CVE-2026-55952 is a denial of service vulnerability in TLS 1.3 that can be triggered by sending a malformed ClientHello message containing a crafted pre-shared key (PSK) extension. An attacker can exploit this remotely to crash or make unavailable services relying on the affected TLS implementation. This is particularly significant in cloud environments where TLS termination is widespread and availability is business-critical.
Security Architect’s Take: Review which Azure services and self-managed workloads use the affected TLS 1.3 stack and prioritise patching, particularly for internet-facing endpoints and API gateways. In the interim, consider whether Web Application Firewall (WAF) rules or network-layer controls can block or inspect malformed ClientHello messages as a temporary mitigation.
Original advisory: CVE-2026-55952 TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension