CVE-2026-39830
Analyzed Analyzed - Analysis Complete
SSH Global Request Response Buffer Overflow in Go

Publication date: 2026-05-22

Last updated on: 2026-06-02

Assigner: Go Project

Description
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-06-02
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-39830
EUVD
EUVD-2026-31397
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang crypto to 0.52.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when a malicious SSH peer sends unsolicited global request responses to a Go SSH server, which fills an internal buffer and blocks the connection's read loop.

Because the read loop is blocked, the goroutine handling the connection cannot be released even if the connection is closed, leading to a resource leak for each affected connection.

The issue has been fixed by discarding unsolicited global responses to prevent the buffer from filling and blocking the read loop.

Impact Analysis

This vulnerability can cause resource leaks on the server handling SSH connections, as each malicious connection that sends unsolicited global request responses can block a goroutine indefinitely.

Over time, this can exhaust server resources, potentially leading to degraded performance or denial of service due to the accumulation of blocked goroutines.

Mitigation Strategies

To mitigate this vulnerability, update the golang.org/x/crypto package to version 0.52.0 or later, where unsolicited global SSH request responses are discarded to prevent resource leaks.

This fix addresses the issue by preventing the internal buffer from filling and blocking the connection's read loop, thus avoiding the resource leak per connection.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart