Skip to main content

golang.org/x/crypto EUVDEUVD-2026-31394

| CVE-2026-39828 MEDIUM
Improper Certificate Validation (CWE-295)
2026-05-22 Go GHSA-45gg-vh54-h5m9
6.3
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 19:01 vuln.today
CVSS changed
Jun 02, 2026 - 16:37 NVD
6.3 (None) 6.3 (MEDIUM)
Patch available
May 22, 2026 - 04:31 EUVD
CVE Published
May 22, 2026 - 02:31 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

AnalysisAI

SSH certificate permission enforcement in golang.org/x/crypto/ssh fails silently during multi-factor authentication flows, allowing authenticated users to bypass certificate-enforced restrictions such as force-command. Specifically, when an SSH server authentication callback returns PartialSuccessError with non-nil Permissions (as occurs in MFA sequences where a first factor succeeds and a second is required), those certificate permissions are silently discarded rather than propagated to the final session. Any Go-based SSH server using this library with both MFA and certificate-based permission restrictions is affected in versions prior to 0.52.0. No public exploit identified at time of analysis, and CISA KEV does not list this vulnerability.

Technical ContextAI

The affected component is golang.org/x/crypto/ssh (CPE: cpe:2.3:a:golang.org/x/crypto:golang.org/x/crypto/ssh:*:*:*:*:*:*:*:*), Go's extended cryptography library providing SSH protocol support. The SSH certificate model allows embedding permissions and extensions - such as force-command, which constrains the commands an authenticated user may execute - directly into certificates. In multi-factor authentication implementations, the PartialSuccessError type signals to the SSH handshake engine that the first authentication factor succeeded and a second is required. The bug (CWE-295: Improper Certificate Validation) is that the handshake engine silently discards the Permissions struct carried in a PartialSuccessError return value rather than propagating it into the final authenticated session context. The fix, introduced in 0.52.0, converts this silent discard into a connection error, forcing implementers to handle the condition correctly. The issue is tracked at go.dev/issue/79562 and announced via golang-announce.

RemediationAI

Upgrade golang.org/x/crypto to version 0.52.0 or later, which resolves the silent permission discard by returning a connection error when non-nil Permissions are passed with PartialSuccessError - see the upstream change at go.dev/cl/781621 and the Go vulnerability database entry at pkg.go.dev/vuln/GO-2026-5014. The fix is a breaking behavioral change: server implementations that previously returned non-nil Permissions alongside PartialSuccessError will now see connections fail, requiring code review of custom authentication callbacks. If immediate patching is not feasible, a compensating control is to audit all SSH server authentication callback implementations and ensure PartialSuccessError is returned with nil Permissions, deferring permission assignment to the final successful authentication stage - note this workaround requires code changes and careful testing to avoid introducing logic errors in permission assignment. Do not rely on network-layer filtering alone, as the vulnerability is exploitable by users who already hold valid first-factor credentials.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for HPC 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP6-LTSS Affected

Share

EUVD-2026-31394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy