{"uuid": "85af0409-df69-4632-b849-9b4d40b8d297", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39835", "type": "seen", "source": "https://gist.github.com/alon710/c4000d6cf995053d5e37ba048c93349d", "content": "# CVE-2026-39835: CVE-2026-39835: Remote Denial of Service via Null Pointer Dereference in Go SSH CertChecker\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39835\n\n## Summary\nA Denial of Service (DoS) vulnerability exists in the Go SSH implementation package (golang.org/x/crypto/ssh). The vulnerability is caused by a null pointer dereference (runtime panic) when CertChecker is utilized as a public key callback but its validation fields, IsUserAuthority or IsHostAuthority, are uninitialized.\n\n## TL;DR\nAn unauthenticated remote attacker can crash Go SSH servers using CertChecker by presenting certificates during the handshake, exploiting uninitialized function pointers.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-476\n- **Attack Vector**: Network\n- **CVSS Severity**: 5.3 (Medium)\n- **Exploit Status**: Proof of Concept\n- **Affected Package**: golang.org/x/crypto/ssh\n- **Fixed Version**: v0.52.0\n\n## Affected Systems\n\n- Docker / Moby\n- HashiCorp Vault\n- Prometheus\n- Gitea\n- containerd\n- Podman\n- Trivy\n- Amazon CloudWatch Agent\n- AWS Systems Manager Agent (SSM)\n- SOPS\n- Atlantis\n- Cloudflared\n- Splunk OpenTelemetry Collector\n- **golang.org/x/crypto**: < 0.52.0 (Fixed in: `0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto to v0.52.0 or higher.\n- Audit CertChecker instantiations to ensure all authority callbacks are non-nil.\n- Implement fallback validation functions that explicitly deny requests instead of leaving them uninitialized.\n\n**Remediation Steps:**\n1. Verify local Go installation and project dependencies.\n2. Run 'go get golang.org/x/crypto@v0.52.0' to update the module.\n3. Run 'go mod tidy' to synchronize dependencies.\n4. Recompile and redeploy the affected services.\n5. Verify vulnerability remediation using 'govulncheck'.\n\n## References\n\n- [Go Issue 79563](https://go.dev/issue/79563)\n- [Go Announce Mailing List](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [Go VulnDB Entry GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39835) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T08:42:13.243537Z"}