CVE-2026-39827: CVE-2026-39827: Denial of Service via Unbounded Memory Growth in Go SSH (golang.org/x/crypto/ssh)
CVSS Score: 6.5 Published: 2026-06-25 Full Report: https://cvereports.com/reports/CVE-2026-39827
An unbounded memory leak vulnerability in the Go SSH package (golang.org/x/crypto/ssh) allows authenticated users to crash the server by repeatedly requesting connection channels that are rejected, leading to system resource exhaustion.
A memory leak in golang.org/x/crypto/ssh prior to version 0.52.0 allows authenticated clients to trigger a Denial of Service by repeatedly sending channel requests that the server rejects.
- CWE ID: CWE-401
- Attack Vector: Network (AV:N)
- CVSS Score: 6.5 (Medium)
- EPSS Score: 0.00196
- Impact: Denial of Service (DoS) / Memory Exhaustion
- Exploit Status: None (No public exploits)
- KEV Status: Not listed
- Go application servers using golang.org/x/crypto/ssh to run SSH server-side services
- Gitea SSH servers
- Docker/Podman daemon SSH components
- HashiCorp Vault SSH secrets engine
- golang.org/x/crypto/ssh: < 0.52.0 (Fixed in:
0.52.0)
- Upgrade golang.org/x/crypto to version 0.52.0 or higher.
- Recompile all statically linked Go binaries using the updated library.
- Implement monitoring for rapid SSH channel creation failures per session.
Remediation Steps:
- Identify all internal Go projects that utilize the 'golang.org/x/crypto/ssh' package.
- Run 'go get golang.org/x/crypto@v0.52.0' in the root directory of the affected projects.
- Run 'go mod tidy' to update the dependency tree and lock files.
- Rebuild the binaries and redeploy the affected applications.
- Gerrit Change List 781320
- Go Review Source Code
- Go GitHub Issue #35127
- Go Vulnerability Database Advisory
- CVE-2026-39827 Record
Generated by CVEReports - Automated Vulnerability Intelligence