CVE-2026-39827
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| golang.org/x/crypto | golang.org/x/crypto/ssh | 0 < 0.52.0 | affected |
Weaknesses
- CWE-401: Missing Release of Memory after Effective Lifetime
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://go.dev/issue/35127
- https://go.dev/cl/781320
- https://groups.google.com/g/golang-announce/c/a082jnz-LvI
- https://pkg.go.dev/vuln/GO-2026-5016
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.