CVE-2026-42508

Published: May 22, 2026

Modified: May 22, 2026

PUBLISHED

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Vendor	Product	Versions
golang.org/x/crypto	golang.org/x/crypto/ssh/knownhosts	affected `0 - < 0.52.0`

References

https://go.dev/issue/79568

https://go.dev/cl/781220

https://groups.google.com/g/golang-announce/c/a082jnz-LvI

https://pkg.go.dev/vuln/GO-2026-5021

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-42508

Description

Affected Products

References