MEDIUM 5.3
GHSA-78mq-xcr3-xm33
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
Details
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-39835 [ADVISORY]
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39835.json [WEB]
- https://pkg.go.dev/vuln/GO-2026-5015 [WEB]
- https://groups.google.com/g/golang-announce/c/a082jnz-LvI [WEB]
- https://go.dev/issue/79563 [WEB]
- https://go.dev/cl/781660 [WEB]
- https://cs.opensource.google/go/x/crypto [PACKAGE]
- https://bugzilla.redhat.com/show_bug.cgi?id=2480680 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-39835 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37410 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37387 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37296 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37286 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37272 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37271 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37268 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37123 [WEB]
- https://access.redhat.com/errata/RHSA-2026:37072 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36797 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36796 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36651 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36648 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36625 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36319 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36207 [WEB]
- https://access.redhat.com/errata/RHSA-2026:36199 [WEB]
- https://access.redhat.com/errata/RHSA-2026:26547 [WEB]
- https://access.redhat.com/errata/RHSA-2026:26546 [WEB]