MEDIUM 5.3

GHSA-78mq-xcr3-xm33

golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow

Details

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / golang.org/x/crypto/ssh

Introduced in: 0 Fixed in: 0.52.0

Fix go get golang.org/x/crypto/ssh@v0.52.0

References

https://nvd.nist.gov/vuln/detail/CVE-2026-39835 [ADVISORY]
https://cs.opensource.google/go/x/crypto [PACKAGE]
https://go.dev/cl/781660 [WEB]
https://go.dev/issue/79563 [WEB]
https://groups.google.com/g/golang-announce/c/a082jnz-LvI [WEB]
https://pkg.go.dev/vuln/GO-2026-5015 [WEB]