https://vulnerability.circl.lu/sightings/feed 2026-06-28T11:31:50.370385+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/718aa917-072e-44f4-b948-7bc47bb32e46/export 2026-06-28T11:31:50.396616+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "718aa917-072e-44f4-b948-7bc47bb32e46", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39835", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmgc7xj2rw2e", "content": "CVE-2026-39835 - Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh\nCVE ID : CVE-2026-39835\n \n Published : May 22, 2026, 4:16 a.m. | 1\u00a0hour, 34\u00a0minutes ago\n \n Description : SSH servers which use CertChecker as a public key callback without settin...", "creation_timestamp": "2026-05-22T06:21:59.794399Z"} 2026-05-22T06:21:59.794399+00:00 https://vulnerability.circl.lu/sighting/dcdd3953-bcb0-4e80-948e-319ba3f0c90f/export 2026-06-28T11:31:50.396545+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "dcdd3953-bcb0-4e80-948e-319ba3f0c90f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39832", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmgd2bheui2t", "content": "CVE-2026-39832 - Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent\nCVE ID : CVE-2026-39832\n \n Published : May 22, 2026, 4:16 a.m. | 1\u00a0hour, 34\u00a0minutes ago\n \n Description : When adding a key to a remote agent constraint extensions such as ...", "creation_timestamp": "2026-05-22T06:36:42.908127Z"} 2026-05-22T06:36:42.908127+00:00 https://vulnerability.circl.lu/sighting/b8c1ad5f-62af-49e8-a80f-c5f8a7321a37/export 2026-06-28T11:31:50.396485+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "b8c1ad5f-62af-49e8-a80f-c5f8a7321a37", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39833", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116620160885281925", "content": "Attention, elevated activities detected targeting x-crypto (CVE-2026-39833) https://vuldb.com/vuln/365128/cti", "creation_timestamp": "2026-05-22T20:40:35.850377Z"} 2026-05-22T20:40:35.850377+00:00 https://vulnerability.circl.lu/sighting/06ce3ba4-ce58-4cef-839f-14fb72d62c1a/export 2026-06-28T11:31:50.396424+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "06ce3ba4-ce58-4cef-839f-14fb72d62c1a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39831", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mmp34s6rls2e", "content": "#openSUSE Tumbleweed just dropped mcphost 0.34.0-5.1 \u2013 fixes 5 CVEs including a FIDO SSH key bypass (CVE-2026-39831). Read more -> tinyurl.com/48a52xb4", "creation_timestamp": "2026-05-25T18:09:02.599954Z"} 2026-05-25T18:09:02.599954+00:00 https://vulnerability.circl.lu/sighting/18ed88d0-5293-4245-9807-4370a45dedaa/export 2026-06-28T11:31:50.396363+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "18ed88d0-5293-4245-9807-4370a45dedaa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39831", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mmp34ybf522e", "content": "#openSUSE Tumbleweed just dropped mcphost 0.34.0-5.1 \u2013 fixes 5 CVEs including a FIDO SSH key bypass (CVE-2026-39831). Read more -> tinyurl.com/48a52xb4", "creation_timestamp": "2026-05-25T18:09:03.171453Z"} 2026-05-25T18:09:03.171453+00:00 https://vulnerability.circl.lu/sighting/04d53b28-9192-44fc-afdd-e2b20daf0d00/export 2026-06-28T11:31:50.396295+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "04d53b28-9192-44fc-afdd-e2b20daf0d00", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39831", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mmp34ybi2s2e", "content": "#openSUSE Tumbleweed just dropped mcphost 0.34.0-5.1 \u2013 fixes 5 CVEs including a FIDO SSH key bypass (CVE-2026-39831). Read more -> tinyurl.com/48a52xb4", "creation_timestamp": "2026-05-25T18:09:03.687374Z"} 2026-05-25T18:09:03.687374+00:00 https://vulnerability.circl.lu/sighting/b67caec6-d38e-4e6b-b620-3958829e7dfb/export 2026-06-28T11:31:50.396230+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "b67caec6-d38e-4e6b-b620-3958829e7dfb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39835", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mnafjazque2y", "content": "\ud83d\udd17 CVE : CVE-2026-25680, CVE-2026-25681, CVE-2026-39827, CVE-2026-39828, CVE-2026-39835, CVE-2026-41401, CVE-2026-42502, CVE-2026-46598, CVE-2026-8466, CVE-2026-25680, CVE-2026-25681, CVE-2026-39827, CVE-2026-39828, CVE-2026-39835, CVE-2026-41401, CVE-2026-42502, CVE-2026-46598, CVE-2026-8466", "creation_timestamp": "2026-06-01T15:38:41.030805Z"} 2026-06-01T15:38:41.030805+00:00 https://vulnerability.circl.lu/sighting/3805f978-df3e-440a-a4cf-529d1ac7f79d/export 2026-06-28T11:31:50.396153+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "3805f978-df3e-440a-a4cf-529d1ac7f79d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39830", "type": "seen", "source": "https://gist.github.com/alon710/88958f43b0e7690b6916b9cfa5c9b9df", "content": "# CVE-2026-39830: CVE-2026-39830: Unsolicited Response Channel Deadlock and Resource Leak in golang.org/x/crypto/ssh\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39830\n\n## Summary\nA denial-of-service (DoS) and resource leak vulnerability in the Go SSH package (golang.org/x/crypto/ssh) allows a malicious peer to permanently deadlock connection processing loops and leak memory. This issue stems from improper handling of unsolicited responses at the global and channel layers, which saturate internal bounded channel buffers and block the main multiplexer loop. The vulnerability is fully resolved in version 0.52.0.\n\n## TL;DR\nUnsolicited global or channel responses fill bounded internal Go channels, deadlocking the connection's read loop and leaking goroutines even after the connection is closed.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-833 (Deadlock)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 9.1 (Critical)\n- **EPSS Score**: 0.00392\n- **EPSS Percentile**: 30.94%\n- **Exploit Status**: PoC (No Weaponized Public Exploits)\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- golang.org/x/crypto/ssh\n- **golang.org/x/crypto/ssh**: < 0.52.0 (Fixed in: `0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto to version v0.52.0 or later.\n- Implement connection rate limiting at the network boundary.\n- Monitor goroutine counts for unexplained persistent increases.\n\n**Remediation Steps:**\n1. Identify Go modules using golang.org/x/crypto below version 0.52.0.\n2. Execute 'go get golang.org/x/crypto@v0.52.0' in the project root.\n3. Run 'go mod tidy' to update go.sum and dependencies.\n4. Rebuild and redeploy all affected services.\n\n## References\n\n- [Go Vulnerability Advisory GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017)\n- [Go Tracking Issue #79564](https://go.dev/issue/79564)\n- [Gerrit CL 781640](https://go.dev/cl/781640)\n- [Gerrit CL 781664](https://go.dev/cl/781664)\n- [Official Golang Announcement](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [CVE-2026-39830 Record Details](https://www.cve.org/CVERecord?id=CVE-2026-39830)\n- [Go Vulnerability Database JSON Data](https://vuln.go.dev/ID/GO-2026-5017.json)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39830) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T07:43:14.138594Z"} 2026-06-26T07:43:14.138594+00:00 https://vulnerability.circl.lu/sighting/85af0409-df69-4632-b849-9b4d40b8d297/export 2026-06-28T11:31:50.396053+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "85af0409-df69-4632-b849-9b4d40b8d297", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39835", "type": "seen", "source": "https://gist.github.com/alon710/c4000d6cf995053d5e37ba048c93349d", "content": "# CVE-2026-39835: CVE-2026-39835: Remote Denial of Service via Null Pointer Dereference in Go SSH CertChecker\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39835\n\n## Summary\nA Denial of Service (DoS) vulnerability exists in the Go SSH implementation package (golang.org/x/crypto/ssh). The vulnerability is caused by a null pointer dereference (runtime panic) when CertChecker is utilized as a public key callback but its validation fields, IsUserAuthority or IsHostAuthority, are uninitialized.\n\n## TL;DR\nAn unauthenticated remote attacker can crash Go SSH servers using CertChecker by presenting certificates during the handshake, exploiting uninitialized function pointers.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-476\n- **Attack Vector**: Network\n- **CVSS Severity**: 5.3 (Medium)\n- **Exploit Status**: Proof of Concept\n- **Affected Package**: golang.org/x/crypto/ssh\n- **Fixed Version**: v0.52.0\n\n## Affected Systems\n\n- Docker / Moby\n- HashiCorp Vault\n- Prometheus\n- Gitea\n- containerd\n- Podman\n- Trivy\n- Amazon CloudWatch Agent\n- AWS Systems Manager Agent (SSM)\n- SOPS\n- Atlantis\n- Cloudflared\n- Splunk OpenTelemetry Collector\n- **golang.org/x/crypto**: < 0.52.0 (Fixed in: `0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto to v0.52.0 or higher.\n- Audit CertChecker instantiations to ensure all authority callbacks are non-nil.\n- Implement fallback validation functions that explicitly deny requests instead of leaving them uninitialized.\n\n**Remediation Steps:**\n1. Verify local Go installation and project dependencies.\n2. Run 'go get golang.org/x/crypto@v0.52.0' to update the module.\n3. Run 'go mod tidy' to synchronize dependencies.\n4. Recompile and redeploy the affected services.\n5. Verify vulnerability remediation using 'govulncheck'.\n\n## References\n\n- [Go Issue 79563](https://go.dev/issue/79563)\n- [Go Announce Mailing List](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [Go VulnDB Entry GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39835) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T08:42:13.243537Z"} 2026-06-26T08:42:13.243537+00:00 https://vulnerability.circl.lu/sighting/f60d3d23-28f8-48d5-aaef-0df6c538e2ef/export 2026-06-28T11:31:50.392924+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "f60d3d23-28f8-48d5-aaef-0df6c538e2ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39832", "type": "seen", "source": "https://gist.github.com/alon710/ef1198280eb29f6a5974c2c64ac1ec7a", "content": "# CVE-2026-39832: CVE-2026-39832: Silent Drop of Destination Constraints in golang.org/x/crypto SSH Agent Client\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39832\n\n## Summary\nA critical security flaw was identified in the Go package golang.org/x/crypto/ssh/agent. The vulnerability arises during the serialization of key constraints when adding SSH identities to a remote agent or an in-memory keyring. Specifically, custom constraint extensions, such as destination restrictions like restrict-destination-v00@openssh.com, were silently omitted from serialization in client requests. This omission allowed keys to be loaded into the remote agent with zero destination-based restrictions, enabling unauthorized users with access to the agent socket on intermediate hosts to authenticate to any downstream host without policy enforcement. The issue was resolved in version v0.52.0 of the golang.org/x/crypto library.\n\n## TL;DR\nAn issue in the Go SSH agent client silently drops custom key constraints during serialization, allowing attackers on a compromised jump host to reuse forwarded keys without restrictions and bypass security boundaries.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-281\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 9.1\n- **EPSS Score**: 0.00397 (Percentile: 31.59%)\n- **Impact**: Unrestricted lateral movement via forwarded SSH keys\n- **Exploit Status**: Proof of Concept\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- golang.org/x/crypto/ssh/agent\n- **golang.org/x/crypto**: < 0.52.0 (Fixed in: `0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto to version v0.52.0 or newer\n- Disable SSH Agent Forwarding on untrusted intermediate servers\n- Use native OpenSSH client implementations for operations requiring key constraints\n\n**Remediation Steps:**\n1. Identify all projects importing golang.org/x/crypto.\n2. Execute 'go get golang.org/x/crypto@v0.52.0' to update the library.\n3. Run 'go mod tidy' to update the go.sum file.\n4. Recompile and redeploy the Go applications.\n5. Audit existing deployment tooling and jump hosts to verify if agent forwarding is active and modify SSH configurations to restrict agent forwarding where possible.\n\n## References\n\n- [Go Vulnerability Database Report](https://pkg.go.dev/vuln/GO-2026-5006)\n- [Go Issue Tracker #79435](https://go.dev/issue/79435)\n- [Gerrit Code Review Fix Commit CL 778642](https://go.dev/cl/778642)\n- [Official Golang Announcement](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [CVE-2026-39832 Record](https://www.cve.org/CVERecord?id=CVE-2026-39832)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39832) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T14:12:20.921922Z"} 2026-06-26T14:12:20.921922+00:00