9.1

CVE-2026-39830

Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangCrypto SwPlatformgo Version < 0.52.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.53% 0.412
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

CWE-772 Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

https://go.dev/issue/79564
Issue Tracking
https://go.dev/cl/781640
Issue Tracking
https://go.dev/cl/781664
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2480684
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39830.json
https://access.redhat.com/errata/RHSA-2026:29455
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
Mailing List
https://access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:35833
https://access.redhat.com/errata/RHSA-2026:36199
https://pkg.go.dev/vuln/GO-2026-5017
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-39830
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:36808
https://access.redhat.com/errata/RHSA-2026:37268
https://access.redhat.com/errata/RHSA-2026:37072