CVE-2026-39829: CVE-2026-39829: Denial of Service in Go SSH Parser

#security #cve #cybersecurity

CVE-2026-39829: Denial of Service in Go SSH Parser

Vulnerability ID: CVE-2026-39829
CVSS Score: 7.5
Published: 2026-06-25

A high-severity Denial of Service (DoS) vulnerability exists in the golang.org/x/crypto/ssh package prior to version 0.52.0. The vulnerability is caused by a lack of size and range validation on incoming RSA and DSA public key parameters during SSH authentication. An unauthenticated attacker can submit a crafted public key with pathologically large parameters, triggering intensive CPU computation during signature verification and leading to a complete Denial of Service.

TL;DR

Unauthenticated remote attackers can exhaust SSH server CPU resources by sending public keys with oversized parameters during the authentication handshake.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-1176
Attack Vector: Network (Unauthenticated)
CVSS v3.1 Score: 7.5
EPSS Score: 0.00304
Exploit Status: Proof-of-Concept
Affected Module: golang.org/x/crypto/ssh
Fixed Version: v0.52.0

Affected Systems

Docker
containerd
HashiCorp Vault
Kubernetes Components
Gitea
Cloudflared
golang.org/x/crypto/ssh: < v0.52.0 (Fixed in: v0.52.0)

Code Analysis

Commit: 8907318

ssh: limit RSA modulus to 8192 bits to prevent Denial of Service

Commit: 9c2cd33

ssh: enforce DSA parameter range checks and subprime limit to prevent DoS

Mitigation Strategies

Upgrade the golang.org/x/crypto dependency to v0.52.0 or higher.
Recompile all downstream packages to embed the fixed dependency.
Limit SSH port access using network-level firewall rules.

Remediation Steps:

Open the go.mod file of your project.
Update the golang.org/x/crypto line to reference v0.52.0 or higher.
Run 'go mod tidy' to update the lockfile.
Rebuild your binaries and redeploy them to production environments.

References

Read the full report for CVE-2026-39829 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community