QwikSec

Security Database

CVE

CWE

Training

CVE-2026-39830

Published: May 22, 2026

Modified: May 22, 2026

PUBLISHED

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Vendor	Product	Versions
golang.org/x/crypto	golang.org/x/crypto/ssh	affected `0 - < 0.52.0`

References

https://go.dev/issue/79564

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://go.dev/cl/781640

https://go.dev/cl/781664

https://pkg.go.dev/vuln/GO-2026-5017

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.