CVE-2026-39827
Analyzed Analyzed - Analysis Complete
Memory Exhaustion in Go SSH Server

Publication date: 2026-05-22

Last updated on: 2026-05-26

Assigner: Go Project

Description
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-05-26
Generated
2026-06-12
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-39827
EUVD
EUVD-2026-31392
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang crypto to 0.52.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-924 The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the SSH implementation of golang.org/x/crypto where an authenticated SSH client repeatedly opens channels that are rejected by the server.

Because these rejected channels were not properly removed from the server's internal state, they caused unbounded memory growth.

This memory leak eventually leads to the server process crashing and affects all connected users.

The issue was fixed by ensuring that rejected channels are properly removed from the connection's internal state and released for garbage collection.

Impact Analysis

This vulnerability can cause the SSH server to consume increasing amounts of memory when an authenticated client repeatedly opens rejected channels.

The unbounded memory growth can eventually crash the server process.

When the server crashes, all connected users are affected, potentially causing denial of service and disruption of operations.

Mitigation Strategies

To mitigate this vulnerability, update the golang.org/x/crypto/ssh package to version v0.52.0 or later, where the issue has been fixed.

The fix ensures that rejected SSH channels are properly removed from the connection's internal state and released for garbage collection, preventing unbounded memory growth and server crashes.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39827. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart