CVE-2026-39833

Vulnerability Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Vulnerability Details

Published Date

May 22, 2026

Last Modified

May 22, 2026

Source

NVD

Vendor

golang.org/x/crypto

Product

golang.org/x/crypto/ssh/agent

External References

https://go.dev/cl/778640
https://go.dev/cl/778641
https://go.dev/issue/79436
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5005

CVE-2026-39833

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment