CVE-2026-39827

Published: May 22, 2026

Modified: May 22, 2026

PUBLISHED

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Vendor	Product	Versions
golang.org/x/crypto	golang.org/x/crypto/ssh	affected `0 - < 0.52.0`

References

https://go.dev/issue/35127

https://go.dev/cl/781320

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://pkg.go.dev/vuln/GO-2026-5016

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-39827

Description

Affected Products

References