{"uuid": "0aaf4d2d-69f3-4712-a84c-53e59d93b2f3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39829", "type": "seen", "source": "https://gist.github.com/alon710/404c8247b3af526ba72db3d836620396", "content": "# CVE-2026-39829: CVE-2026-39829: Denial of Service in Go SSH Parser\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39829\n\n## Summary\nA high-severity Denial of Service (DoS) vulnerability exists in the golang.org/x/crypto/ssh package prior to version 0.52.0. The vulnerability is caused by a lack of size and range validation on incoming RSA and DSA public key parameters during SSH authentication. An unauthenticated attacker can submit a crafted public key with pathologically large parameters, triggering intensive CPU computation during signature verification and leading to a complete Denial of Service.\n\n## TL;DR\nUnauthenticated remote attackers can exhaust SSH server CPU resources by sending public keys with oversized parameters during the authentication handshake.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1176\n- **Attack Vector**: Network (Unauthenticated)\n- **CVSS v3.1 Score**: 7.5\n- **EPSS Score**: 0.00304\n- **Exploit Status**: Proof-of-Concept\n- **Affected Module**: golang.org/x/crypto/ssh\n- **Fixed Version**: v0.52.0\n\n## Affected Systems\n\n- Docker\n- containerd\n- HashiCorp Vault\n- Kubernetes Components\n- Gitea\n- Cloudflared\n- **golang.org/x/crypto/ssh**: < v0.52.0 (Fixed in: `v0.52.0`)\n\n## Mitigation\n\n- Upgrade the golang.org/x/crypto dependency to v0.52.0 or higher.\n- Recompile all downstream packages to embed the fixed dependency.\n- Limit SSH port access using network-level firewall rules.\n\n**Remediation Steps:**\n1. Open the go.mod file of your project.\n2. Update the golang.org/x/crypto line to reference v0.52.0 or higher.\n3. Run 'go mod tidy' to update the lockfile.\n4. Rebuild your binaries and redeploy them to production environments.\n\n## References\n\n- [Go Issue #79565](https://go.dev/issue/79565)\n- [Golang Announce Security Advisory](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [Go Vulnerability Database Entry](https://pkg.go.dev/vuln/GO-2026-5018)\n- [NVD CVE-2026-39829 Record](https://www.cve.org/CVERecord?id=CVE-2026-39829)\n- [Wiz CVE-2026-39829 Analysis](https://www.wiz.io/vulnerability-database/cve/cve-2026-39829)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39829) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T05:42:25.052371Z"}