CVE-2026-39827

MEDIUM

Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

Title source: cna
STIX 2.1

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Scores

CVSS v3 6.5
EPSS 0.0020
EPSS Percentile 9.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-924
Status published
Products (3)
golang/crypto < 0.52.0
golang.org/x/crypto/golang.org/x/crypto/ssh < 0.52.0
x/crypto 0 - 0.52.0Go
Published May 22, 2026
Tracked Since May 22, 2026