CVE-2026-42508

Summary

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Affected Software

VendorProductVersion RangeStatus
golang.org/x/cryptogolang.org/x/crypto/ssh/knownhosts0 < 0.52.0affected

Weaknesses

  • CWE-295: Improper Certificate Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey

Additional References

References