Intel

AIKIDO-2026-11033

golang.org/x/crypto is vulnerable to Protection Mechanism Failure

Protection Mechanism FailureCVE-2026-39832 Published Jun 2, 2026

91

Critical Risk

This Affects:

GOgolang.org/x/crypto
0.0.0 - 0.51.0
Fixed in 0.52.0
Are you affected? Scan for Free

TL;DR

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and if you use the golang.org/x/crypto/ssh/agent functionalities.

Background info

golang.org/x/crypto is vulnerable to Protection Mechanism Failure in versions 0.0.0 - 0.51.0.

How to fix this

Upgrade the golang.org/x/crypto library to the patch version.

Links

pkg.go.dev/vuln/GO-2026-5006
https://pkg.go.dev/vuln/GO-2026-5006
go.dev/cl/778642
https://go.dev/cl/778642
go.dev/issue/79435
https://go.dev/issue/79435
groups.google.com/g/golang-announce/c/a082jnz-LvI
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
access.redhat.com/errata/RHSA-2026:35833
https://access.redhat.com/errata/RHSA-2026:35833
access.redhat.com/errata/RHSA-2026:36199
https://access.redhat.com/errata/RHSA-2026:36199
access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36319
access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36625
access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:36648
access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36651
access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36796
access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:36797
access.redhat.com/errata/RHSA-2026:37072
https://access.redhat.com/errata/RHSA-2026:37072
access.redhat.com/errata/RHSA-2026:37123
https://access.redhat.com/errata/RHSA-2026:37123
access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:37271
access.redhat.com/errata/RHSA-2026:37387
https://access.redhat.com/errata/RHSA-2026:37387
access.redhat.com/errata/RHSA-2026:37410
https://access.redhat.com/errata/RHSA-2026:37410
access.redhat.com/errata/RHSA-2026:40118
https://access.redhat.com/errata/RHSA-2026:40118
access.redhat.com/errata/RHSA-2026:40262
https://access.redhat.com/errata/RHSA-2026:40262
access.redhat.com/errata/RHSA-2026:40945
https://access.redhat.com/errata/RHSA-2026:40945
access.redhat.com/errata/RHSA-2026:40972
https://access.redhat.com/errata/RHSA-2026:40972
access.redhat.com/errata/RHSA-2026:41019
https://access.redhat.com/errata/RHSA-2026:41019
access.redhat.com/errata/RHSA-2026:41031
https://access.redhat.com/errata/RHSA-2026:41031
access.redhat.com/errata/RHSA-2026:41036
https://access.redhat.com/errata/RHSA-2026:41036
access.redhat.com/errata/RHSA-2026:41066
https://access.redhat.com/errata/RHSA-2026:41066
access.redhat.com/security/cve/CVE-2026-39832
https://access.redhat.com/security/cve/CVE-2026-39832
bugzilla.redhat.com/show_bug.cgi?id=2480685
https://bugzilla.redhat.com/show_bug.cgi?id=2480685
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39832.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39832.json