CVE-2026-39835: Remote Denial of Service via Null Pointer Dereference in Go SSH CertChecker
Vulnerability ID: CVE-2026-39835
CVSS Score: 5.3
Published: 2026-06-25
A Denial of Service (DoS) vulnerability exists in the Go SSH implementation package (golang.org/x/crypto/ssh). The vulnerability is caused by a null pointer dereference (runtime panic) when CertChecker is utilized as a public key callback but its validation fields, IsUserAuthority or IsHostAuthority, are uninitialized.
TL;DR
An unauthenticated remote attacker can crash Go SSH servers using CertChecker by presenting certificates during the handshake, exploiting uninitialized function pointers.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-476
- Attack Vector: Network
- CVSS Severity: 5.3 (Medium)
- Exploit Status: Proof of Concept
- Affected Package: golang.org/x/crypto/ssh
- Fixed Version: v0.52.0
Affected Systems
- Docker / Moby
- HashiCorp Vault
- Prometheus
- Gitea
- containerd
- Podman
- Trivy
- Amazon CloudWatch Agent
- AWS Systems Manager Agent (SSM)
- SOPS
- Atlantis
- Cloudflared
- Splunk OpenTelemetry Collector
-
golang.org/x/crypto: < 0.52.0 (Fixed in:
0.52.0)
Mitigation Strategies
- Upgrade golang.org/x/crypto to v0.52.0 or higher.
- Audit CertChecker instantiations to ensure all authority callbacks are non-nil.
- Implement fallback validation functions that explicitly deny requests instead of leaving them uninitialized.
Remediation Steps:
- Verify local Go installation and project dependencies.
- Run 'go get golang.org/x/crypto@v0.52.0' to update the module.
- Run 'go mod tidy' to synchronize dependencies.
- Recompile and redeploy the affected services.
- Verify vulnerability remediation using 'govulncheck'.
References
Read the full report for CVE-2026-39835 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)