Skip to main content

Golang Org X Crypto Ssh Agent

3 CVEs product

Monthly

CVE-2026-46598 Go MEDIUM PATCH GHSA This Month

Panic-induced denial of service in the golang.org/x/crypto/ssh/agent package allows remote unauthenticated attackers to crash processes by submitting specially crafted SSH agent protocol messages containing malformed wire-format bytes that are unsafely cast into an ed25519.PrivateKey without sufficient validation. All versions of golang.org/x/crypto/ssh/agent prior to 0.52.0 are affected. No public exploit exists at time of analysis (EPSS 0.02%), though the SSVC framework flags the attack as automatable, and a vendor patch is available.

Information Disclosure Golang Org X Crypto Ssh Agent Suse Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39832 Go CRITICAL POC PATCH GHSA Act Now

Constraint extension stripping in the golang.org/x/crypto SSH agent client (versions prior to 0.52.0) allows remote SSH hosts to use forwarded keys without the destination restrictions the user intended. When clients added keys to a remote agent, extensions such as restrict-destination-v00@openssh.com were silently dropped during serialization, effectively converting scoped keys into unrestricted ones on downstream hosts. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total and automatable.

SSH Deserialization Golang Org X Crypto Ssh Agent
NVD VulDB GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39833 Go CRITICAL PATCH GHSA Act Now

Authentication bypass in Go's golang.org/x/crypto/ssh/agent in-memory keyring (versions before 0.52.0) allows SSH key signing operations to proceed without the intended ConfirmBeforeUse user confirmation prompt. Applications that relied on this constraint to gate sensitive signing actions effectively had no protection, with no error returned to indicate the constraint was silently ignored. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total.

Authentication Bypass Golang Org X Crypto Ssh Agent Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Panic-induced denial of service in the golang.org/x/crypto/ssh/agent package allows remote unauthenticated attackers to crash processes by submitting specially crafted SSH agent protocol messages containing malformed wire-format bytes that are unsafely cast into an ed25519.PrivateKey without sufficient validation. All versions of golang.org/x/crypto/ssh/agent prior to 0.52.0 are affected. No public exploit exists at time of analysis (EPSS 0.02%), though the SSVC framework flags the attack as automatable, and a vendor patch is available.

Information Disclosure Golang Org X Crypto Ssh Agent Suse +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Constraint extension stripping in the golang.org/x/crypto SSH agent client (versions prior to 0.52.0) allows remote SSH hosts to use forwarded keys without the destination restrictions the user intended. When clients added keys to a remote agent, extensions such as restrict-destination-v00@openssh.com were silently dropped during serialization, effectively converting scoped keys into unrestricted ones on downstream hosts. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total and automatable.

SSH Deserialization Golang Org X Crypto Ssh Agent
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in Go's golang.org/x/crypto/ssh/agent in-memory keyring (versions before 0.52.0) allows SSH key signing operations to proceed without the intended ConfirmBeforeUse user confirmation prompt. Applications that relied on this constraint to gate sensitive signing actions effectively had no protection, with no error returned to indicate the constraint was silently ignored. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total.

Authentication Bypass Golang Org X Crypto Ssh Agent Suse
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy