CVE-2026-39830

CRITICAL

Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

Title source: cna

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

References (5)

Core 5

Core References

https://go.dev/issue/79564

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://go.dev/cl/781640

https://go.dev/cl/781664

https://pkg.go.dev/vuln/GO-2026-5017

Scores

CVSS v3 9.1

EPSS 0.0031

EPSS Percentile 22.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-119

Status published

Products (2)

golang/crypto < 0.52.0

golang.org/x/crypto/golang.org/x/crypto/ssh < 0.52.0

Published May 22, 2026

Tracked Since May 22, 2026