CRITICALCVE-2026-39834Published 2026-05-22Modified 2026-05-22CNA Go

CVE-2026-39834: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0.52.0
Affected Products: 1

Fix available

0.52.0

Affected packages

golang.org/x/crypto / golang.org/x/crypto/ssh
< 0.52.0 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

go.dev
groups.google.com
go.dev
pkg.go.dev

Metrics

Fix available