DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39830: CVE-2026-39830: Unsolicited Response Channel Deadlock and Resource Leak in golang.org/x/crypto/ssh

#security #cve #cybersecurity

CVE-2026-39830: Unsolicited Response Channel Deadlock and Resource Leak in golang.org/x/crypto/ssh

Vulnerability ID: CVE-2026-39830
CVSS Score: 9.1
Published: 2026-06-25

A denial-of-service (DoS) and resource leak vulnerability in the Go SSH package (golang.org/x/crypto/ssh) allows a malicious peer to permanently deadlock connection processing loops and leak memory. This issue stems from improper handling of unsolicited responses at the global and channel layers, which saturate internal bounded channel buffers and block the main multiplexer loop. The vulnerability is fully resolved in version 0.52.0.

TL;DR

Unsolicited global or channel responses fill bounded internal Go channels, deadlocking the connection's read loop and leaking goroutines even after the connection is closed.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-833 (Deadlock)
  • Attack Vector: Network (AV:N)
  • CVSS v3.1 Score: 9.1 (Critical)
  • EPSS Score: 0.00392
  • EPSS Percentile: 30.94%
  • Exploit Status: PoC (No Weaponized Public Exploits)
  • CISA KEV Status: Not Listed

Affected Systems

  • golang.org/x/crypto/ssh
  • golang.org/x/crypto/ssh: < 0.52.0 (Fixed in: 0.52.0)

Code Analysis

Commit: cl78164

ssh: fix deadlock on unexpected global responses

Commit: cl78166

ssh: fix deadlock on unexpected channel responses

Mitigation Strategies

  • Upgrade golang.org/x/crypto to version v0.52.0 or later.
  • Implement connection rate limiting at the network boundary.
  • Monitor goroutine counts for unexplained persistent increases.

Remediation Steps:

  1. Identify Go modules using golang.org/x/crypto below version 0.52.0.
  2. Execute 'go get golang.org/x/crypto@v0.52.0' in the project root.
  3. Run 'go mod tidy' to update go.sum and dependencies.
  4. Rebuild and redeploy all affected services.

References

Read the full report for CVE-2026-39830 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)