CVE-2026-39830

Summary

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected Software

VendorProductVersion RangeStatus
golang.org/x/cryptogolang.org/x/crypto/ssh0 < 0.52.0affected

Weaknesses

  • CWE-833: Deadlock

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses

Additional References

References