What is the CVSS score of EUVD-2026-31390?

EUVD-2026-31390 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of golang.org/x/crypto are affected by EUVD-2026-31390?

golang.org/x/crypto SSH agent client versions prior to 0.52.0 silently strip destination restrictions from forwarded SSH keys, effectively converting scoped credentials into unrestricted ones on…. A patch is available.

golang.org/x/crypto EUVD-2026-31390

| CVE-2026-39832 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-05-22 Go

Deserialization SSH Golang Org X Crypto Ssh Agent

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 15:22 vuln.today

CVSS changed

May 28, 2026 - 15:22 NVD

9.1 (None) 9.1 (CRITICAL)

Patch available

May 22, 2026 - 04:31 EUVD

CVE Published

May 22, 2026 - 02:31 nvd

UNKNOWN (no severity yet)

DescriptionNVD

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

AnalysisAI

Constraint extension stripping in the golang.org/x/crypto SSH agent client (versions prior to 0.52.0) allows remote SSH hosts to use forwarded keys without the destination restrictions the user intended. When clients added keys to a remote agent, extensions such as restrict-destination-v00@openssh.com were silently dropped during serialization, effectively converting scoped keys into unrestricted ones on downstream hosts. …

RemediationAI

Within 24 hours: Inventory all applications and Go modules using golang.org/x/crypto and identify those used in SSH key forwarding scenarios. Within 7 days: Update to golang.org/x/crypto 0.52.0 or later and rebuild all affected applications and binaries. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31390 vulnerability details – vuln.today

Back

golang.org/x/crypto EUVD-2026-31390

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code