{"uuid": "99df6565-39b6-48ed-8f6b-bff6558faa73", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39827", "type": "seen", "source": "https://gist.github.com/alon710/c23e66a189a2d9bd2d0b0916f9459aaf", "content": "# CVE-2026-39827: CVE-2026-39827: Denial of Service via Unbounded Memory Growth in Go SSH (golang.org/x/crypto/ssh)\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39827\n\n## Summary\nAn unbounded memory leak vulnerability in the Go SSH package (golang.org/x/crypto/ssh) allows authenticated users to crash the server by repeatedly requesting connection channels that are rejected, leading to system resource exhaustion.\n\n## TL;DR\nA memory leak in golang.org/x/crypto/ssh prior to version 0.52.0 allows authenticated clients to trigger a Denial of Service by repeatedly sending channel requests that the server rejects.\n\n## Technical Details\n\n- **CWE ID**: CWE-401\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 6.5 (Medium)\n- **EPSS Score**: 0.00196\n- **Impact**: Denial of Service (DoS) / Memory Exhaustion\n- **Exploit Status**: None (No public exploits)\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Go application servers using golang.org/x/crypto/ssh to run SSH server-side services\n- Gitea SSH servers\n- Docker/Podman daemon SSH components\n- HashiCorp Vault SSH secrets engine\n- **golang.org/x/crypto/ssh**: < 0.52.0 (Fixed in: `0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto to version 0.52.0 or higher.\n- Recompile all statically linked Go binaries using the updated library.\n- Implement monitoring for rapid SSH channel creation failures per session.\n\n**Remediation Steps:**\n1. Identify all internal Go projects that utilize the 'golang.org/x/crypto/ssh' package.\n2. Run 'go get golang.org/x/crypto@v0.52.0' in the root directory of the affected projects.\n3. Run 'go mod tidy' to update the dependency tree and lock files.\n4. Rebuild the binaries and redeploy the affected applications.\n\n## References\n\n- [Gerrit Change List 781320](https://go.dev/cl/781320)\n- [Go Review Source Code](https://go-review.googlesource.com/c/crypto/+/781320)\n- [Go GitHub Issue #35127](https://github.com/golang/go/issues/35127)\n- [Go Vulnerability Database Advisory](https://pkg.go.dev/vuln/GO-2026-5016)\n- [CVE-2026-39827 Record](https://www.cve.org/CVERecord?id=CVE-2026-39827)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39827) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T08:22:06.250429Z"}