DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42508: CVE-2026-42508: Bypass of SSH Certificate Authority Revocation in golang.org/x/crypto/ssh/knownhosts

#security #cve #cybersecurity

CVE-2026-42508: Bypass of SSH Certificate Authority Revocation in golang.org/x/crypto/ssh/knownhosts

Vulnerability ID: CVE-2026-42508
CVSS Score: 9.1
Published: 2026-06-25

An issue was discovered in Go's golang.org/x/crypto/ssh/knownhosts package where a revoked Certification Authority (CA) public key was not correctly checked for revocation during SSH host certificate validation. This allowed clients or servers utilizing the library to validate and trust host certificates issued by explicitly revoked CAs.

TL;DR

Go's SSH client/server knownhosts verification bypassed revocation checks for Certificate Authorities, trusting certificates signed by explicitly revoked CA keys.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-295
  • Attack Vector: Network (AV:N)
  • CVSS Score: 9.1
  • EPSS Score: 0.00368
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not in CISA KEV

Affected Systems

  • Systems running applications compiled with Go's golang.org/x/crypto/ssh/knownhosts package prior to version 0.52.0
  • golang.org/x/crypto: < v0.52.0 (Fixed in: v0.52.0)

Code Analysis

Commit: f717e29

ssh/knownhosts: check CA key revocation in IsRevoked callback

Exploit Details

  • Go Vulnerability Database: Unit testing demonstrating the validation bypass using standard certificate generators and fake revoked CAs

Mitigation Strategies

  • Upgrade the golang.org/x/crypto dependency to version v0.52.0 or later.
  • Scan applications with vulnerability detection tools like govulncheck to locate affected imported paths.
  • As a temporary operational workaround, explicitly revoke individual leaf host certificates in known_hosts rather than relying on CA-level revocation markers.

Remediation Steps:

  1. Open the Go module directory containing the affected codebase.
  2. Execute the update command: go get -u golang.org/x/crypto@v0.52.0
  3. Run go mod tidy to clean up and update the module dependencies.
  4. Recompile the binary and redeploy the affected applications.

References

Read the full report for CVE-2026-42508 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)