Intel

AIKIDO-2026-11027

golang.org/x/crypto is vulnerable to Authorization Bypass

Authorization BypassCVE-2026-42508 Published Jun 2, 2026

91

Critical Risk

This Affects:

GOgolang.org/x/crypto
0.0.0 - 0.51.0
Fixed in 0.52.0
Are you affected? Scan for Free

TL;DR

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and if you use the golang.org/x/crypto/ssh/knownhosts functionalities.

Background info

golang.org/x/crypto is vulnerable to Authorization Bypass in versions 0.0.0 - 0.51.0.

How to fix this

Upgrade the golang.org/x/crypto library to the patch version.

Links

pkg.go.dev/vuln/GO-2026-5021
https://pkg.go.dev/vuln/GO-2026-5021
go.dev/cl/781220
https://go.dev/cl/781220
go.dev/issue/79568
https://go.dev/issue/79568
groups.google.com/g/golang-announce/c/a082jnz-LvI
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
access.redhat.com/errata/RHSA-2026:23262
https://access.redhat.com/errata/RHSA-2026:23262
access.redhat.com/errata/RHSA-2026:23264
https://access.redhat.com/errata/RHSA-2026:23264
access.redhat.com/errata/RHSA-2026:26546
https://access.redhat.com/errata/RHSA-2026:26546
access.redhat.com/errata/RHSA-2026:26547
https://access.redhat.com/errata/RHSA-2026:26547
access.redhat.com/errata/RHSA-2026:35833
https://access.redhat.com/errata/RHSA-2026:35833
access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:36648
access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36651
access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36796
access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:36797
access.redhat.com/errata/RHSA-2026:36808
https://access.redhat.com/errata/RHSA-2026:36808
access.redhat.com/errata/RHSA-2026:37072
https://access.redhat.com/errata/RHSA-2026:37072
access.redhat.com/errata/RHSA-2026:37123
https://access.redhat.com/errata/RHSA-2026:37123
access.redhat.com/errata/RHSA-2026:37387
https://access.redhat.com/errata/RHSA-2026:37387
access.redhat.com/security/cve/CVE-2026-42508
https://access.redhat.com/security/cve/CVE-2026-42508
bugzilla.redhat.com/show_bug.cgi?id=2480688
https://bugzilla.redhat.com/show_bug.cgi?id=2480688
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42508.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42508.json