AIKIDO-2026-11033
golang.org/x/crypto is vulnerable to Protection Mechanism Failure
91
Critical Risk
This Affects:
golang.org/x/cryptoTL;DR
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and if you use the golang.org/x/crypto/ssh/agent functionalities.
Background info
golang.org/x/crypto is vulnerable to Protection Mechanism Failure in versions 0.0.0 - 0.51.0.
How to fix this
Upgrade the golang.org/x/crypto library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant