Intel

AIKIDO-2026-11025

golang.org/x/crypto is vulnerable to Denial Of Service (DoS)

Denial Of Service (DoS)CVE-2026-39830 Published Jun 2, 2026

91

Critical Risk

This Affects:

GOgolang.org/x/crypto
0.0.0 - 0.51.0
Fixed in 0.52.0
Are you affected? Scan for Free

TL;DR

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and if you use the golang.org/x/crypto/ssh functionalities.

Background info

golang.org/x/crypto is vulnerable to Denial Of Service (DoS) in versions 0.0.0 - 0.51.0.

How to fix this

Upgrade the golang.org/x/crypto library to the patch version.

Links

pkg.go.dev/vuln/GO-2026-5017
https://pkg.go.dev/vuln/GO-2026-5017
go.dev/cl/781640
https://go.dev/cl/781640
go.dev/cl/781664
https://go.dev/cl/781664
go.dev/issue/79564
https://go.dev/issue/79564
groups.google.com/g/golang-announce/c/a082jnz-LvI
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
access.redhat.com/errata/RHSA-2026:29455
https://access.redhat.com/errata/RHSA-2026:29455
access.redhat.com/errata/RHSA-2026:35833
https://access.redhat.com/errata/RHSA-2026:35833
access.redhat.com/errata/RHSA-2026:36199
https://access.redhat.com/errata/RHSA-2026:36199
access.redhat.com/errata/RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36207
access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36319
access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36625
access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:36648
access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36651
access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36796
access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:36797
access.redhat.com/errata/RHSA-2026:36808
https://access.redhat.com/errata/RHSA-2026:36808
access.redhat.com/errata/RHSA-2026:37072
https://access.redhat.com/errata/RHSA-2026:37072
access.redhat.com/errata/RHSA-2026:37268
https://access.redhat.com/errata/RHSA-2026:37268
access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:37271
access.redhat.com/errata/RHSA-2026:37272
https://access.redhat.com/errata/RHSA-2026:37272
access.redhat.com/errata/RHSA-2026:37275
https://access.redhat.com/errata/RHSA-2026:37275
access.redhat.com/errata/RHSA-2026:37278
https://access.redhat.com/errata/RHSA-2026:37278
access.redhat.com/errata/RHSA-2026:37286
https://access.redhat.com/errata/RHSA-2026:37286
access.redhat.com/errata/RHSA-2026:37296
https://access.redhat.com/errata/RHSA-2026:37296
access.redhat.com/errata/RHSA-2026:37387
https://access.redhat.com/errata/RHSA-2026:37387
access.redhat.com/errata/RHSA-2026:40118
https://access.redhat.com/errata/RHSA-2026:40118
access.redhat.com/errata/RHSA-2026:40262
https://access.redhat.com/errata/RHSA-2026:40262
access.redhat.com/errata/RHSA-2026:40945
https://access.redhat.com/errata/RHSA-2026:40945
access.redhat.com/errata/RHSA-2026:40969
https://access.redhat.com/errata/RHSA-2026:40969
access.redhat.com/errata/RHSA-2026:40972
https://access.redhat.com/errata/RHSA-2026:40972
access.redhat.com/errata/RHSA-2026:40974
https://access.redhat.com/errata/RHSA-2026:40974
access.redhat.com/errata/RHSA-2026:41019
https://access.redhat.com/errata/RHSA-2026:41019
access.redhat.com/errata/RHSA-2026:41031
https://access.redhat.com/errata/RHSA-2026:41031
access.redhat.com/errata/RHSA-2026:41036
https://access.redhat.com/errata/RHSA-2026:41036
access.redhat.com/errata/RHSA-2026:41066
https://access.redhat.com/errata/RHSA-2026:41066
access.redhat.com/security/cve/CVE-2026-39830
https://access.redhat.com/security/cve/CVE-2026-39830
bugzilla.redhat.com/show_bug.cgi?id=2480684
https://bugzilla.redhat.com/show_bug.cgi?id=2480684
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39830.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39830.json