CRITICALCVE-2026-39830Published 2026-05-22Modified 2026-05-22CNA Go

CVE-2026-39830: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0.52.0
Affected Products: 1

Fix available

0.52.0

Affected packages

golang.org/x/crypto / golang.org/x/crypto/ssh
< 0.52.0 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

go.dev
groups.google.com
go.dev
go.dev
pkg.go.dev

Metrics

Fix available