CVE-2026-39827

Vulnerability Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Vulnerability Details

Published Date

May 22, 2026

Last Modified

May 22, 2026

Source

NVD

Vendor

golang.org/x/crypto

Product

golang.org/x/crypto/ssh

External References

https://go.dev/cl/781320
https://go.dev/issue/35127
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5016

CVE-2026-39827

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment