MEDIUM 6.3
GHSA-45gg-vh54-h5m9
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions
Details
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-39828 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2026:26546 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37296 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37387 [WEB]
- https://access.redhat.com/errata/RHSA-2026:40118 [WEB]
- https://access.redhat.com/errata/RHSA-2026:40119 [WEB]
- https://access.redhat.com/errata/RHSA-2026:40262 [WEB]
- https://access.redhat.com/errata/RHSA-2026:40969 [WEB]
- https://access.redhat.com/errata/RHSA-2026:40974 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-39828 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2480687 [WEB]
- https://cs.opensource.google/go/x/crypto [PACKAGE]
- https://go.dev/cl/781621 [WEB]
- https://go.dev/issue/79562 [WEB]
- https://groups.google.com/g/golang-announce/c/a082jnz-LvI [WEB]
- https://pkg.go.dev/vuln/GO-2026-5014 [WEB]
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39828.json [WEB]
- https://access.redhat.com/errata/RHSA-2026:26547 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36105 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36167 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36207 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36319 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36625 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36648 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36651 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36796 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36797 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36808 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37268 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37271 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37272 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37278 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37286 [WEB]