CVE-2026-39834: CVE-2026-39834: Infinite Loop and CPU Exhaustion via Integer Truncation in Go SSH Channel Write

CVE-2026-39834: Infinite Loop and CPU Exhaustion via Integer Truncation in Go SSH Channel Write

Vulnerability ID: CVE-2026-39834
CVSS Score: 9.1
Published: 2026-06-25

A critical vulnerability exists in the Go SSH sub-repository (golang.org/x/crypto/ssh) before version 0.52.0. When an application writes payloads of 4GB or larger in a single write operation, integer truncation in the remote window calculation causes an infinite loop. This results in complete CPU core exhaustion and a denial-of-service condition.

TL;DR

Writing payloads larger than 4GB to a Go SSH channel causes integer truncation, leading to an infinite write loop and 100% CPU utilization on the executing thread.

---

Technical Details

• CWE ID: CWE-190
• Attack Vector: Network
• CVSS v3.1 Score: 9.1 (Critical)
• EPSS Score: 0.00466
• Impact: Denial of Service (DoS) via 100% CPU exhaustion
• Exploit Status: none
• KEV Status: Not listed

Affected Systems

• Docker / Moby / containerd / Docker Compose
• HashiCorp Vault / Packer
• Prometheus / Thanos
• Trivy / Kubescape CLI / gptscript
• Gitea / SOPS / Atlantis
• MinIO / Rclone
• Amazon CloudWatch Agent / AWS Systems Manager Agent (SSM)
• Splunk OpenTelemetry Collector
• golang.org/x/crypto: < 0.52.0 (Fixed in: 0.52.0)

Code Analysis

Commit: 8afbdcd

ssh: avoid silent integer truncation in minPayloadSize calculation to prevent infinite loop on 4GB write operations

Mitigation Strategies

• Upgrade golang.org/x/crypto to version v0.52.0 or higher.
• Implement application-level chunking to limit maximum write size to 1 GiB per invocation.
• Deploy rate-limiting and maximum payload constraints on public endpoints that accept uploads forwarded to SSH channels.

Remediation Steps:

1. Identify all projects and microservices importing golang.org/x/crypto/ssh.
2. Update the go.mod file to specify golang.org/x/crypto v0.52.0 or greater.
3. Execute 'go mod tidy' to update the dependency graph.
4. Recompile and redeploy the affected services across production clusters.

References

• Go Change List (Gerrit)
• Go Issue Tracker Thread
• Go Announcement Mailing List
• Go Vulnerability Database Entry
• JSON Vuln Database Schema
• CVE.org Official Record
• Wiz Vulnerability Database Analysis

---

Read the full report for CVE-2026-39834 on our website for more details including interactive diagrams and full exploit analysis.