Invoking client can cause server deadlock on unexpected responses in...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

AI Analysis

SSH server deadlock vulnerability due to unsolicited global request responses

Basic Information

ID CVE-2026-39830

Source Go

Published May 22, 2026 at 02:31

Modified May 22, 2026 at 18:54

Affected Product

Vendor golang.org/x/crypto

Product golang.org/x/crypto/ssh

Affected Versions golang.org/x/crypto golang.org/x/crypto/ssh 0

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor The Go Authors

Product go.crypto/ssh

References

{
    "lastseen": "",
    "description": "A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.",
    "published": "2026-05-22T02:31:27.208Z",
    "modified": "2026-05-22T18:54:54.686Z",
    "type": "cve",
    "title": "Invoking  client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh",
    "source": "Go",
    "references": "https://go.dev/issue/79564\nhttps://groups.google.com/g/golang-announce/c/a082jnz-LvI\nhttps://go.dev/cl/781640\nhttps://go.dev/cl/781664\nhttps://pkg.go.dev/vuln/GO-2026-5017",
    "id": "CVE-2026-39830",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "golang.org/x/crypto golang.org/x/crypto/ssh 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "golang.org/x/crypto/ssh",
    "version": "0",
    "vendor": "golang.org/x/crypto",
    "ai_description": "SSH server deadlock vulnerability due to unsolicited global request responses",
    "ai_severity": "Critical",
    "ai_vendor": "The Go Authors",
    "ai_product": "go.crypto/ssh",
    "ai_version": "0",
    "ai_score": 9.1
}

Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh_CVE-2026-39830