{"uuid": "a898a33f-3c35-44a8-b0ed-bc2b87983b56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46597", "type": "seen", "source": "https://gist.github.com/alon710/0234a3b8537da177958a0a725a5f30b9", "content": "# CVE-2026-46597: CVE-2026-46597: Remote Denial of Service in golang.org/x/crypto/ssh via AES-GCM Padding Integer Overflow\n\n&gt; **CVSS Score:** 7.5\n&gt; **Published:** 2026-06-25\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-46597\n\n## Summary\nA high-severity Denial of Service (DoS) vulnerability (CVE-2026-46597 / GO-2026-5013) exists in the golang.org/x/crypto/ssh module before version v0.52.0. The flaw stems from an incorrect operator order during a type conversion of the GCM packet padding size, allowing a remote, unauthenticated attacker to trigger an out-of-bounds slice runtime panic and crash the Go process.\n\n## TL;DR\nUnauthenticated remote attackers can crash Go-based SSH servers or clients using AES-GCM ciphers by exploiting an integer overflow in padding length checks.\n\n## Technical Details\n\n- **CWE ID**: CWE-191 / CWE-704\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **EPSS Score**: 0.00359 (27.78% percentile)\n- **Impact**: Complete Denial of Service (A:H)\n- **Exploit Status**: Unproven / No Public PoC\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- golang.org/x/crypto/ssh\n- Docker\n- containerd\n- HashiCorp Vault\n- Gitea\n- Prometheus\n- AWS Systems Manager Agent (SSM)\n- cAdvisor\n- Podman\n- Trivy\n- **golang.org/x/crypto**: &lt; v0.52.0 (Fixed in: `v0.52.0`)\n\n## Mitigation\n\n- Upgrade the golang.org/x/crypto module to version v0.52.0 or later and recompile downstream applications.\n- Disable AES-GCM cipher suites (aes128-gcm@openssh.com, aes256-gcm@openssh.com) in the SSH server and client configurations.\n\n**Remediation Steps:**\n1. Update your go.mod file: run 'go get golang.org/x/crypto@v0.52.0'\n2. Run 'go mod tidy' to update dependency trees.\n3. Rebuild and redeploy all affected services and container images.\n4. Verify dependencies across downstream microservices using SCA tools.\n\n## References\n\n- [Go Issue Tracker Tracker: Issue 79561](https://go.dev/issue/79561)\n- [Go Gerrit Change List CL 781620](https://go.dev/cl/781620)\n- [Go Gitiles Code Patch Commit abbc44d](https://go.googlesource.com/crypto/+/abbc44d451a6f9236a2bbd26cbcd4d0fec473da3^!)\n- [Go Vulnerability Database Entry GO-2026-5013](https://pkg.go.dev/vuln/GO-2026-5013)\n- [Go Announcements Mailing List](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [CVE Registry Entry CVE-2026-46597](https://www.cve.org/CVERecord?id=CVE-2026-46597)\n- [Wiz Vulnerability Advisory](https://www.wiz.io/vulnerability-database/cve/cve-2026-46597)\n- [Shodan Search Queries](https://www.shodan.io/search?query=CVE-2026-46597)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-46597) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T13:42:31.989216Z"}