Vulnerability-Lookup

OPENSUSE-SU-2026:10967-1

Vulnerability from csaf_opensuse - Published: 2026-06-08 00:00 - Updated: 2026-06-08 00:00

Summary

cheat-5.1.0-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: cheat-5.1.0-2.1 on GA media

Description of the patch: These are all security issues fixed in the cheat-5.1.0-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10967

CVE-2026-1229

7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-39827

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-41506

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-42508

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-44740

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-46598

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64	—	Vendor Fix

Threats

Impact important

References

20 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-1229/	self
https://www.suse.com/security/cve/CVE-2026-39827/	self
https://www.suse.com/security/cve/CVE-2026-41506/	self
https://www.suse.com/security/cve/CVE-2026-42508/	self
https://www.suse.com/security/cve/CVE-2026-44740/	self
https://www.suse.com/security/cve/CVE-2026-46598/	self
https://www.suse.com/security/cve/CVE-2026-1229	external
https://bugzilla.suse.com/1265416	external
https://www.suse.com/security/cve/CVE-2026-39827	external
https://bugzilla.suse.com/1266049	external
https://www.suse.com/security/cve/CVE-2026-41506	external
https://bugzilla.suse.com/1264854	external
https://www.suse.com/security/cve/CVE-2026-42508	external
https://bugzilla.suse.com/1266049	external
https://www.suse.com/security/cve/CVE-2026-44740	external
https://bugzilla.suse.com/1267264	external
https://www.suse.com/security/cve/CVE-2026-46598	external
https://bugzilla.suse.com/1266049	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "cheat-5.1.0-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the cheat-5.1.0-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10967",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10967-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-1229 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-1229/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-39827 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-39827/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-41506 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-41506/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42508 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42508/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-44740 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-44740/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-46598 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-46598/"
      }
    ],
    "title": "cheat-5.1.0-2.1 on GA media",
    "tracking": {
      "current_release_date": "2026-06-08T00:00:00Z",
      "generator": {
        "date": "2026-06-08T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10967-1",
      "initial_release_date": "2026-06-08T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-06-08T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cheat-5.1.0-2.1.aarch64",
                "product": {
                  "name": "cheat-5.1.0-2.1.aarch64",
                  "product_id": "cheat-5.1.0-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cheat-5.1.0-2.1.ppc64le",
                "product": {
                  "name": "cheat-5.1.0-2.1.ppc64le",
                  "product_id": "cheat-5.1.0-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cheat-5.1.0-2.1.s390x",
                "product": {
                  "name": "cheat-5.1.0-2.1.s390x",
                  "product_id": "cheat-5.1.0-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cheat-5.1.0-2.1.x86_64",
                "product": {
                  "name": "cheat-5.1.0-2.1.x86_64",
                  "product_id": "cheat-5.1.0-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cheat-5.1.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64"
        },
        "product_reference": "cheat-5.1.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cheat-5.1.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le"
        },
        "product_reference": "cheat-5.1.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cheat-5.1.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x"
        },
        "product_reference": "cheat-5.1.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cheat-5.1.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
        },
        "product_reference": "cheat-5.1.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-1229",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-1229"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in  v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-1229",
          "url": "https://www.suse.com/security/cve/CVE-2026-1229"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265416 for CVE-2026-1229",
          "url": "https://bugzilla.suse.com/1265416"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-1229"
    },
    {
      "cve": "CVE-2026-39827",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-39827"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection\u0027s internal state and released for garbage collection.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-39827",
          "url": "https://www.suse.com/security/cve/CVE-2026-39827"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266049 for CVE-2026-39827",
          "url": "https://bugzilla.suse.com/1266049"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-39827"
    },
    {
      "cve": "CVE-2026-41506",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-41506"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-41506",
          "url": "https://www.suse.com/security/cve/CVE-2026-41506"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264854 for CVE-2026-41506",
          "url": "https://bugzilla.suse.com/1264854"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-41506"
    },
    {
      "cve": "CVE-2026-42508",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42508"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Previously, a revoked \u0027SignatureKey\u0027 belonging to a CA was not correctly checked for revocation. Now, both the \u0027key\u0027 and \u0027key.SignatureKey\u0027 are checked for @revoked.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42508",
          "url": "https://www.suse.com/security/cve/CVE-2026-42508"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266049 for CVE-2026-42508",
          "url": "https://bugzilla.suse.com/1266049"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-42508"
    },
    {
      "cve": "CVE-2026-44740",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-44740"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-44740",
          "url": "https://www.suse.com/security/cve/CVE-2026-44740"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267264 for CVE-2026-44740",
          "url": "https://bugzilla.suse.com/1267264"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-44740"
    },
    {
      "cve": "CVE-2026-46598",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-46598"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "For certain crafted inputs, a \u0027ed25519.PrivateKey\u0027 was created by casting malformed wire bytes, leading to a panic when used.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
          "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-46598",
          "url": "https://www.suse.com/security/cve/CVE-2026-46598"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266049 for CVE-2026-46598",
          "url": "https://bugzilla.suse.com/1266049"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.aarch64",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.ppc64le",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.s390x",
            "openSUSE Tumbleweed:cheat-5.1.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-46598"
    }
  ]
}

CVE-2026-1229 (GCVE-0-2026-1229)

Vulnerability from cvelistv5 – Published: 2026-02-24 07:58 – Updated: 2026-02-24 15:10

Title

Incorrect calculation in CIRCL secp384r1 CombinedMult

Summary

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

Severity

2.9 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-682 - Incorrect Calculation

Assigner

cloudflare

References

1 reference

URL	Tags
https://github.com/cloudflare/circl

Impacted products

1 product

Vendor	Product	Version
Cloudflare	CIRCL	Affected: CIRCL up to version 1.6.2 , < 1.6.3 (custom)

Credits

Guido Vranken

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1229",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-24T15:04:09.395394Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-24T15:10:21.738Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Go"
          ],
          "product": "CIRCL",
          "repo": "https://github.com/cloudflare/circl",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThan": "1.6.3",
              "status": "affected",
              "version": "CIRCL up to version 1.6.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Guido Vranken"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eThe CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\u003cbr\u003eECDH and ECDSA signing relying on this curve are not affected.\u003c/p\u003e\u003cp\u003eThe bug was fixed in \u003cstrong\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/circl/releases/tag/v1.6.3\"\u003ev1.6.3\u003c/a\u003e\u003c/strong\u003e.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in  v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 ."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-682",
              "description": "CWE-682 Incorrect Calculation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T07:58:54.406Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/circl"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Incorrect calculation in CIRCL secp384r1 CombinedMult",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2026-1229",
    "datePublished": "2026-02-24T07:58:54.406Z",
    "dateReserved": "2026-01-20T13:09:57.206Z",
    "dateUpdated": "2026-02-24T15:10:21.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39827 (GCVE-0-2026-39827)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:35

Title

Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

Summary

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

References

4 references

URL	Tags
https://go.dev/issue/35127
https://go.dev/cl/781320
https://groups.google.com/g/golang-announce/c/a08…
https://pkg.go.dev/vuln/GO-2026-5016

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

Ziyan Zhou

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39827",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:35:34.770589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:35:40.472Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "channel.Reject"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ziyan Zhou"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection\u0027s internal state and released for garbage collection."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.064Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/35127"
        },
        {
          "url": "https://go.dev/cl/781320"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5016"
        }
      ],
      "title": "Invoking  memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39827",
    "datePublished": "2026-05-22T02:31:27.064Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:35:40.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41506 (GCVE-0-2026-41506)

Vulnerability from cvelistv5 – Published: 2026-05-08 13:43 – Updated: 2026-05-11 18:50

Title

go-git Credential leak via cross-host redirect in smart HTTP transport

Summary

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.

Severity

4.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-522 - Insufficiently Protected Credentials

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/go-git/go-git/security/advisor…	x_refsource_CONFIRM
https://github.com/go-git/go-git/releases/tag/v5.18.0	x_refsource_MISC
https://github.com/go-git/go-git/releases/tag/v6.…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-git	go-git	Affected: < 5.18.0 Affected: < 6.0.0-alpha.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41506",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T18:50:31.355827Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T18:50:50.673Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-git",
          "vendor": "go-git",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.18.0"
            },
            {
              "status": "affected",
              "version": "\u003c 6.0.0-alpha.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T13:43:19.911Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963"
        },
        {
          "name": "https://github.com/go-git/go-git/releases/tag/v5.18.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-git/go-git/releases/tag/v5.18.0"
        },
        {
          "name": "https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2"
        }
      ],
      "source": {
        "advisory": "GHSA-3xc5-wrhm-f963",
        "discovery": "UNKNOWN"
      },
      "title": "go-git Credential leak via cross-host redirect in smart HTTP transport"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41506",
    "datePublished": "2026-05-08T13:43:19.911Z",
    "dateReserved": "2026-04-20T18:18:50.681Z",
    "dateUpdated": "2026-05-11T18:50:50.673Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42508 (GCVE-0-2026-42508)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:44

Title

Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts

Summary

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-295 - Improper Certificate Validation

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79568
https://go.dev/cl/781220
https://groups.google.com/g/golang-announce/c/a08…
https://pkg.go.dev/vuln/GO-2026-5021

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh/knownhosts	Affected: 0 , < 0.52.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42508",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:43:40.584666Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:44:33.483Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh/knownhosts",
          "product": "golang.org/x/crypto/ssh/knownhosts",
          "programRoutines": [
            {
              "name": "hostKeyDB.IsRevoked"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Previously, a revoked \u0027SignatureKey\u0027 belonging to a CA was not correctly checked for revocation. Now, both the \u0027key\u0027 and \u0027key.SignatureKey\u0027 are checked for @revoked."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.644Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79568"
        },
        {
          "url": "https://go.dev/cl/781220"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5021"
        }
      ],
      "title": "Invoking  auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-42508",
    "datePublished": "2026-05-22T02:31:27.644Z",
    "dateReserved": "2026-04-28T00:21:12.792Z",
    "dateUpdated": "2026-05-22T18:44:33.483Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44740 (GCVE-0-2026-44740)

Vulnerability from cvelistv5 – Published: 2026-06-01 16:04 – Updated: 2026-06-01 18:14

Title

go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion

Summary

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-674 - Uncontrolled Recursion
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/go-git/go-billy/security/advis…	x_refsource_CONFIRM
https://github.com/go-git/go-billy/releases/tag/v5.9.0	x_refsource_MISC
https://github.com/go-git/go-billy/releases/tag/v…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-git	go-billy	Affected: < 5.9.0 Affected: < 6.0.0-alpha.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44740",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-01T18:13:54.236447Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-01T18:14:04.315Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-billy",
          "vendor": "go-git",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.9.0"
            },
            {
              "status": "affected",
              "version": "\u003c 6.0.0-alpha.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-01T16:04:50.358Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6"
        },
        {
          "name": "https://github.com/go-git/go-billy/releases/tag/v5.9.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-git/go-billy/releases/tag/v5.9.0"
        },
        {
          "name": "https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1"
        }
      ],
      "source": {
        "advisory": "GHSA-m3xc-h892-ggx6",
        "discovery": "UNKNOWN"
      },
      "title": "go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44740",
    "datePublished": "2026-06-01T16:04:50.358Z",
    "dateReserved": "2026-05-07T18:04:17.310Z",
    "dateUpdated": "2026-06-01T18:14:04.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46598 (GCVE-0-2026-46598)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:14

Title

Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

Summary

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-129 - Improper Validation of Array Index

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79596
https://go.dev/cl/781360
https://groups.google.com/g/golang-announce/c/a08…
https://pkg.go.dev/vuln/GO-2026-5033

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh/agent	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-46598",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:12:30.585638Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-129",
                "description": "CWE-129 Improper Validation of Array Index",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:14:37.255Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh/agent",
          "product": "golang.org/x/crypto/ssh/agent",
          "programRoutines": [
            {
              "name": "parseEd25519Cert"
            },
            {
              "name": "parseEd25519Key"
            },
            {
              "name": "ForwardToAgent"
            },
            {
              "name": "ServeAgent"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "For certain crafted inputs, a \u0027ed25519.PrivateKey\u0027 was created by casting malformed wire bytes, leading to a panic when used."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-129: Improper Validation of Array Index",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.986Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79596"
        },
        {
          "url": "https://go.dev/cl/781360"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5033"
        }
      ],
      "title": "Invoking  pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-46598",
    "datePublished": "2026-05-22T02:31:27.986Z",
    "dateReserved": "2026-05-15T17:35:00.813Z",
    "dateUpdated": "2026-05-22T18:14:37.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:10967-1

CVE-2026-1229 (GCVE-0-2026-1229)

CVE-2026-39827 (GCVE-0-2026-39827)

CVE-2026-41506 (GCVE-0-2026-41506)

CVE-2026-42508 (GCVE-0-2026-42508)

CVE-2026-44740 (GCVE-0-2026-44740)

CVE-2026-46598 (GCVE-0-2026-46598)

Tags

Sightings

Nomenclature