Skip to main content

golang.org/x/crypto/ssh EUVDEUVD-2026-31397

| CVE-2026-39830 CRITICAL
Buffer Overflow (CWE-119)
2026-05-22 Go GHSA-vgwf-h737-ff37
9.1
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 19:00 vuln.today
CVSS changed
Jun 02, 2026 - 16:37 NVD
9.1 (None) 9.1 (CRITICAL)
Patch available
May 22, 2026 - 04:31 EUVD
CVE Published
May 22, 2026 - 02:31 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

AnalysisAI

Resource exhaustion in the Go golang.org/x/crypto/ssh package allows a malicious SSH peer to leak goroutines and memory by sending unsolicited global request responses that fill an internal buffer and block the connection's read loop. Affected versions are below 0.52.0, and even calling Close() fails to release the blocked goroutine, enabling per-connection resource leaks against any Go application using this library as an SSH client or server. There is no public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates very low observed exploitation interest despite the high CVSS rating.

Technical ContextAI

The vulnerability lives in the Go standard supplemental cryptography module golang.org/x/crypto/ssh, the dominant pure-Go SSH implementation used by tools like Terraform, Docker, Kubernetes operators, and countless DevOps utilities. Per CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), the SSH transport layer processes RFC 4254 global request messages and queues responses in a bounded internal channel; a malicious peer sending unsolicited global request *responses* (replies with no matching pending request) fills that channel, causing the goroutine that reads from the SSH transport to block indefinitely on a send. Because the read loop owns the lifecycle signaling for the connection, the blocked goroutine cannot be unwound by Close(), producing a per-connection resource leak of goroutines, memory, and file descriptors. The fix in 0.52.0 silently discards unsolicited global responses rather than buffering them.

RemediationAI

Vendor-released patch: golang.org/x/crypto v0.52.0 - upgrade the module dependency with 'go get golang.org/x/crypto@v0.52.0' followed by 'go mod tidy', then rebuild and redeploy all binaries that embed the SSH stack (static linking means library updates alone do not fix already-shipped binaries). Run 'govulncheck ./...' to confirm GO-2026-5017 is no longer reported, and consult the upstream fix commits at https://go.dev/cl/781664 and https://go.dev/cl/781640, the issue tracker at https://go.dev/issue/79564, and the advisory at https://pkg.go.dev/vuln/GO-2026-5017. Where immediate rebuilds are not possible, compensating controls include restricting which SSH peers a Go-based client connects to via allowlists (limits operational flexibility), placing affected SSH servers behind a non-Go SSH proxy such as OpenSSH that terminates the protocol before the Go stack sees it (adds a hop and configuration burden), and aggressive connection idle timeouts plus process-level memory/FD limits and periodic restarts to bound the leak's blast radius (does not stop the underlying leak and may interrupt legitimate sessions).

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for HPC 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP6-LTSS Affected

Share

EUVD-2026-31397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy