What is the CVSS score of CVE-2026-39834?

CVE-2026-39834 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of golang.org/x/crypto/ssh are affected by CVE-2026-39834?

The Go golang.org/x/crypto/ssh library (versions prior to 0.52.0) contains a critical integer overflow vulnerability causing denial of service when processing SSH transfers exceeding 4GB.. A patch is available.

golang.org/x/crypto/ssh CVE-2026-39834

EUVD-2026-31400 CRITICAL

Integer Overflow or Wraparound (CWE-190)

2026-05-22 Go

Buffer Overflow Integer Overflow Golang Org X Crypto Ssh

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 15:07 vuln.today

CVSS changed

May 28, 2026 - 15:07 NVD

9.1 (None) 9.1 (CRITICAL)

Patch available

May 22, 2026 - 04:31 EUVD

CVE Published

May 22, 2026 - 02:31 nvd

UNKNOWN (no severity yet)

DescriptionNVD

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

AnalysisAI

Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.

RemediationAI

Within 24 hours: Audit inventory for all Go applications using golang.org/x/crypto/ssh. Within 7 days: Update affected applications to golang.org/x/crypto v0.52.0 or later and test in staging. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39834 vulnerability details – vuln.today

Back

golang.org/x/crypto/ssh CVE-2026-39834

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code