CVE-2026-39829
RSA Public Key Parsing Denial of Service via Large Modulus
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | crypto | to 0.52.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability involves the RSA and DSA public key parsers in Go, which did not enforce size limits on key parameters.
An attacker can craft a public key with an excessively large modulus or DSA parameter, causing the signature verification process to consume several minutes of CPU time.
This excessive CPU consumption can be triggered by unauthenticated clients during public key authentication.
To mitigate this, RSA moduli are now limited to 8192 bits, and DSA parameters are validated according to FIPS 186-2 standards.
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) condition by causing excessive CPU consumption during signature verification.
Unauthenticated clients can exploit this by sending crafted public keys with large parameters, which can slow down or disrupt services relying on public key authentication.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that you are using the latest version of the golang.org/x/crypto package, specifically version v0.52.0 or later, where the issue has been fixed.
The fix enforces size limits on RSA moduli (limited to 8192 bits) and validates DSA parameters according to FIPS 186-2 standards, preventing crafted public keys with excessively large parameters from causing excessive CPU consumption.
Updating your Go environment and any dependent packages that use the affected SSH functions (such as Dial, NewClientConn, ParseAuthorizedKey) will help prevent denial-of-service attacks triggered by unauthenticated clients during public key authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves crafted RSA or DSA public keys with excessively large parameters causing high CPU consumption during signature verification. Detection would involve monitoring for unusually high CPU usage during public key authentication attempts, especially from unauthenticated clients.
Since the vulnerability is triggered by public key authentication using malformed keys, one approach is to analyze SSH authentication logs for repeated or suspicious public key authentication attempts that coincide with CPU spikes.
Specific commands to detect this vulnerability are not provided in the available resources.