Intel

AIKIDO-2026-11030

golang.org/x/crypto is vulnerable to Denial Of Service (DoS)

Denial Of Service (DoS)CVE-2026-39835 Published Jun 2, 2026

53

Medium Risk

This Affects:

GOgolang.org/x/crypto
0.0.0 - 0.51.0
Fixed in 0.52.0
Are you affected? Scan for Free

TL;DR

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and if you use the golang.org/x/crypto/ssh functionalities.

Background info

golang.org/x/crypto is vulnerable to Denial Of Service (DoS) in versions 0.0.0 - 0.51.0.

How to fix this

Upgrade the golang.org/x/crypto library to the patch version.

Links

pkg.go.dev/vuln/GO-2026-5015
https://pkg.go.dev/vuln/GO-2026-5015
go.dev/cl/781660
https://go.dev/cl/781660
go.dev/issue/79563
https://go.dev/issue/79563
groups.google.com/g/golang-announce/c/a082jnz-LvI
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
access.redhat.com/errata/RHSA-2026:26546
https://access.redhat.com/errata/RHSA-2026:26546
access.redhat.com/errata/RHSA-2026:26547
https://access.redhat.com/errata/RHSA-2026:26547
access.redhat.com/errata/RHSA-2026:36199
https://access.redhat.com/errata/RHSA-2026:36199
access.redhat.com/errata/RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36207
access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36319
access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36625
access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:36648
access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36651
access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36796
access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:36797
access.redhat.com/errata/RHSA-2026:37072
https://access.redhat.com/errata/RHSA-2026:37072
access.redhat.com/errata/RHSA-2026:37123
https://access.redhat.com/errata/RHSA-2026:37123
access.redhat.com/errata/RHSA-2026:37268
https://access.redhat.com/errata/RHSA-2026:37268
access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:37271
access.redhat.com/errata/RHSA-2026:37272
https://access.redhat.com/errata/RHSA-2026:37272
access.redhat.com/errata/RHSA-2026:37286
https://access.redhat.com/errata/RHSA-2026:37286
access.redhat.com/errata/RHSA-2026:37296
https://access.redhat.com/errata/RHSA-2026:37296
access.redhat.com/errata/RHSA-2026:37387
https://access.redhat.com/errata/RHSA-2026:37387
access.redhat.com/errata/RHSA-2026:37410
https://access.redhat.com/errata/RHSA-2026:37410
access.redhat.com/errata/RHSA-2026:38504
https://access.redhat.com/errata/RHSA-2026:38504
access.redhat.com/errata/RHSA-2026:40118
https://access.redhat.com/errata/RHSA-2026:40118
access.redhat.com/errata/RHSA-2026:40262
https://access.redhat.com/errata/RHSA-2026:40262
access.redhat.com/errata/RHSA-2026:40945
https://access.redhat.com/errata/RHSA-2026:40945
access.redhat.com/errata/RHSA-2026:40969
https://access.redhat.com/errata/RHSA-2026:40969
access.redhat.com/errata/RHSA-2026:40972
https://access.redhat.com/errata/RHSA-2026:40972
access.redhat.com/errata/RHSA-2026:40974
https://access.redhat.com/errata/RHSA-2026:40974
access.redhat.com/errata/RHSA-2026:41019
https://access.redhat.com/errata/RHSA-2026:41019
access.redhat.com/errata/RHSA-2026:41031
https://access.redhat.com/errata/RHSA-2026:41031
access.redhat.com/errata/RHSA-2026:41036
https://access.redhat.com/errata/RHSA-2026:41036
access.redhat.com/errata/RHSA-2026:41066
https://access.redhat.com/errata/RHSA-2026:41066
access.redhat.com/security/cve/CVE-2026-39835
https://access.redhat.com/security/cve/CVE-2026-39835
bugzilla.redhat.com/show_bug.cgi?id=2480680
https://bugzilla.redhat.com/show_bug.cgi?id=2480680
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39835.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39835.json