9.1
CVE-2026-39830
- EPSS 0.53%
- Veröffentlicht 22.05.2026 02:31:27
- Zuletzt bearbeitet 09.07.2026 13:17:03
- Quelle security@golang.org
- CVE-Watchlists
- Unerledigt
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.53% | 0.412 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-772 Missing Release of Resource after Effective Lifetime
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
https://go.dev/issue/79564
https://go.dev/cl/781640
https://go.dev/cl/781664
https://bugzilla.redhat.com/show_bug.cgi?id=2480684
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39830.json
https://access.redhat.com/errata/RHSA-2026:29455
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:35833
https://access.redhat.com/errata/RHSA-2026:36199
https://pkg.go.dev/vuln/GO-2026-5017
https://access.redhat.com/security/cve/CVE-2026-39830
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:36808
https://access.redhat.com/errata/RHSA-2026:37268
https://access.redhat.com/errata/RHSA-2026:37072