CVE-2026-39827
Memory Exhaustion in Go SSH Server
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | crypto | to v0.52.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the SSH implementation of golang.org/x/crypto where an authenticated SSH client repeatedly opens channels that are rejected by the server.
Because these rejected channels were not properly removed from the server's internal state, they caused unbounded memory growth.
This memory leak eventually leads to the server process crashing and affects all connected users.
The issue was fixed by ensuring that rejected channels are properly removed from the connection's internal state and released for garbage collection.
How can this vulnerability impact me? :
This vulnerability can cause the SSH server to consume increasing amounts of memory when an authenticated client repeatedly opens rejected channels.
The unbounded memory growth can eventually crash the server process.
When the server crashes, all connected users are affected, potentially causing denial of service and disruption of operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the golang.org/x/crypto/ssh package to version v0.52.0 or later, where the issue has been fixed.
The fix ensures that rejected SSH channels are properly removed from the connection's internal state and released for garbage collection, preventing unbounded memory growth and server crashes.