Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Fri, 26 Jun 2026 12:20:34 +0000 3805f978-df3e-440a-a4cf-529d1ac7f79d https://vulnerability.circl.lu/sighting/3805f978-df3e-440a-a4cf-529d1ac7f79d/export {"uuid": "3805f978-df3e-440a-a4cf-529d1ac7f79d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39830", "type": "seen", "source": "https://gist.github.com/alon710/88958f43b0e7690b6916b9cfa5c9b9df", "content": "# CVE-2026-39830: CVE-2026-39830: Unsolicited Response Channel Deadlock and Resource Leak in golang.org/x/crypto/ssh\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39830\n\n## Summary\nA denial-of-service (DoS) and resource leak vulnerability in the Go SSH package (golang.org/x/crypto/ssh) allows a malicious peer to permanently deadlock connection processing loops and leak memory. This issue stems from improper handling of unsolicited responses at the global and channel layers, which saturate internal bounded channel buffers and block the main multiplexer loop. The vulnerability is fully resolved in version 0.52.0.\n\n## TL;DR\nUnsolicited global or channel responses fill bounded internal Go channels, deadlocking the connection's read loop and leaking goroutines even after the connection is closed.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-833 (Deadlock)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 9.1 (Critical)\n- **EPSS Score**: 0.00392\n- **EPSS Percentile**: 30.94%\n- **Exploit Status**: PoC (No Weaponized Public Exploits)\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- golang.org/x/crypto/ssh\n- **golang.org/x/crypto/ssh**: < 0.52.0 (Fixed in: `0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto to version v0.52.0 or later.\n- Implement connection rate limiting at the network boundary.\n- Monitor goroutine counts for unexplained persistent increases.\n\n**Remediation Steps:**\n1. Identify Go modules using golang.org/x/crypto below version 0.52.0.\n2. Execute 'go get golang.org/x/crypto@v0.52.0' in the project root.\n3. Run 'go mod tidy' to update go.sum and dependencies.\n4. Rebuild and redeploy all affected services.\n\n## References\n\n- [Go Vulnerability Advisory GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017)\n- [Go Tracking Issue #79564](https://go.dev/issue/79564)\n- [Gerrit CL 781640](https://go.dev/cl/781640)\n- [Gerrit CL 781664](https://go.dev/cl/781664)\n- [Official Golang Announcement](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [CVE-2026-39830 Record Details](https://www.cve.org/CVERecord?id=CVE-2026-39830)\n- [Go Vulnerability Database JSON Data](https://vuln.go.dev/ID/GO-2026-5017.json)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39830) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T07:43:14.138594Z"} {"uuid": "3805f978-df3e-440a-a4cf-529d1ac7f79d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39830", "type": "seen", "source": "https://gist.github.com/alon710/88958f43b0e7690b6916b9cfa5c9b9df", "content": "# CVE-2026-39830: CVE-2026-39830: Unsolicited Response Channel Deadlock and Resource Leak in golang.org/x/crypto/ssh\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39830\n\n## Summary\nA denial-of-service (DoS) and resource leak vulnerability in the Go SSH package (golang.org/x/crypto/ssh) allows a malicious peer to permanently deadlock connection processing loops and leak memory. This issue stems from improper handling of unsolicited responses at the global and channel layers, which saturate internal bounded channel buffers and block the main multiplexer loop. The vulnerability is fully resolved in version 0.52.0.\n\n## TL;DR\nUnsolicited global or channel responses fill bounded internal Go channels, deadlocking the connection's read loop and leaking goroutines even after the connection is closed.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-833 (Deadlock)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 9.1 (Critical)\n- **EPSS Score**: 0.00392\n- **EPSS Percentile**: 30.94%\n- **Exploit Status**: PoC (No Weaponized Public Exploits)\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- golang.org/x/crypto/ssh\n- **golang.org/x/crypto/ssh**: < 0.52.0 (Fixed in: `0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto to version v0.52.0 or later.\n- Implement connection rate limiting at the network boundary.\n- Monitor goroutine counts for unexplained persistent increases.\n\n**Remediation Steps:**\n1. Identify Go modules using golang.org/x/crypto below version 0.52.0.\n2. Execute 'go get golang.org/x/crypto@v0.52.0' in the project root.\n3. Run 'go mod tidy' to update go.sum and dependencies.\n4. Rebuild and redeploy all affected services.\n\n## References\n\n- [Go Vulnerability Advisory GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017)\n- [Go Tracking Issue #79564](https://go.dev/issue/79564)\n- [Gerrit CL 781640](https://go.dev/cl/781640)\n- [Gerrit CL 781664](https://go.dev/cl/781664)\n- [Official Golang Announcement](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [CVE-2026-39830 Record Details](https://www.cve.org/CVERecord?id=CVE-2026-39830)\n- [Go Vulnerability Database JSON Data](https://vuln.go.dev/ID/GO-2026-5017.json)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39830) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T07:43:14.138594Z"} https://vulnerability.circl.lu/sighting/3805f978-df3e-440a-a4cf-529d1ac7f79d/export Fri, 26 Jun 2026 07:43:14 +0000