CVSS Score: 7.5 Published: 2026-06-25 Full Report: https://cvereports.com/reports/CVE-2026-39829
A high-severity Denial of Service (DoS) vulnerability exists in the golang.org/x/crypto/ssh package prior to version 0.52.0. The vulnerability is caused by a lack of size and range validation on incoming RSA and DSA public key parameters during SSH authentication. An unauthenticated attacker can submit a crafted public key with pathologically large parameters, triggering intensive CPU computation during signature verification and leading to a complete Denial of Service.
Unauthenticated remote attackers can exhaust SSH server CPU resources by sending public keys with oversized parameters during the authentication handshake.
- CWE ID: CWE-1176
- Attack Vector: Network (Unauthenticated)
- CVSS v3.1 Score: 7.5
- EPSS Score: 0.00304
- Exploit Status: Proof-of-Concept
- Affected Module: golang.org/x/crypto/ssh
- Fixed Version: v0.52.0
- Docker
- containerd
- HashiCorp Vault
- Kubernetes Components
- Gitea
- Cloudflared
- golang.org/x/crypto/ssh: < v0.52.0 (Fixed in:
v0.52.0)
- Upgrade the golang.org/x/crypto dependency to v0.52.0 or higher.
- Recompile all downstream packages to embed the fixed dependency.
- Limit SSH port access using network-level firewall rules.
Remediation Steps:
- Open the go.mod file of your project.
- Update the golang.org/x/crypto line to reference v0.52.0 or higher.
- Run 'go mod tidy' to update the lockfile.
- Rebuild your binaries and redeploy them to production environments.
- Go Issue #79565
- Golang Announce Security Advisory
- Go Vulnerability Database Entry
- NVD CVE-2026-39829 Record
- Wiz CVE-2026-39829 Analysis
Generated by CVEReports - Automated Vulnerability Intelligence