9.1
CVE-2026-39832
- EPSS 0.4%
- Veröffentlicht 22.05.2026 02:31:26
- Zuletzt bearbeitet 09.07.2026 13:17:03
- Quelle security@golang.org
- CVE-Watchlists
- Unerledigt
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.4% | 0.324 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.7 | 2.3 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
|
CWE-281 Improper Preservation of Permissions
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://go.dev/issue/79435
https://go.dev/cl/778642
https://bugzilla.redhat.com/show_bug.cgi?id=2480685
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39832.json
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:35833
https://access.redhat.com/errata/RHSA-2026:36199
https://pkg.go.dev/vuln/GO-2026-5006
https://access.redhat.com/security/cve/CVE-2026-39832
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:37072
https://access.redhat.com/errata/RHSA-2026:37123