9.1

CVE-2026-39832

Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangCrypto SwPlatformgo Version < 0.52.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.4% 0.324
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.7 2.3 5.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://go.dev/issue/79435
Issue Tracking
https://go.dev/cl/778642
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2480685
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39832.json
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
Mailing List
https://access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:35833
https://access.redhat.com/errata/RHSA-2026:36199
https://pkg.go.dev/vuln/GO-2026-5006
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-39832
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:37072
https://access.redhat.com/errata/RHSA-2026:37123