CVE-2026-39834
Integer Overflow in Go SSH Channel Write Handling
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | * |
| golang | golang.org_x_crypto | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Go programming language's SSH implementation when writing data larger than 4GB in a single Write call on an SSH channel.
An integer overflow happens in the internal payload size calculation, causing the write loop to spin indefinitely. Instead of progressing, it sends empty packets repeatedly.
The issue was fixed by changing the size comparison to use a 64-bit integer (int64) to prevent truncation and overflow.
How can this vulnerability impact me? :
This vulnerability can cause an SSH write operation to hang indefinitely when attempting to send data larger than 4GB in a single call.
As a result, the affected process may become unresponsive or stuck in an infinite loop, sending empty packets without making progress.
This can lead to denial of service conditions or degraded performance in applications relying on the affected SSH implementation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the golang.org/x/crypto package to version v0.52.0 or later, where the issue has been fixed by changing the size comparison to use int64 to prevent truncation.
Ensure that any applications using the affected SSH functions such as Dial, NewClientConn, NewServerConn, and various Session methods (CombinedOutput, Output, Run, Shell, Start) are rebuilt and redeployed with the updated package.