CVE-2026-42508
SignatureKey Revocation Check Bypass in Go
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | crypto | to 0.52.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, identified as CVE-2026-42508, affects the golang.org/x/crypto/ssh/knownhosts package before version v0.52.0. It involves a failure to properly check the revocation status of a 'SignatureKey' belonging to a Certificate Authority (CA). Previously, revoked SignatureKeys were not correctly verified, allowing potentially revoked keys to be used. The fix ensures that both the 'key' and its associated 'SignatureKey' are checked for revocation.
How can this vulnerability impact me? :
If you use the affected golang.org/x/crypto/ssh/knownhosts package before version v0.52.0, this vulnerability could allow revoked Certificate Authority keys to be accepted as valid. This means that revoked or compromised keys might still be trusted, potentially enabling unauthorized access or man-in-the-middle attacks in SSH connections that rely on this package for host key verification.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the golang.org/x/crypto/ssh/knownhosts package before version v0.52.0, where revoked 'SignatureKey' belonging to a Certificate Authority (CA) were not correctly checked for revocation.
Detection involves verifying if your system uses a vulnerable version of the knownhosts package and checking if revoked SignatureKeys are being accepted.
Since the issue is in the hostKeyDB.IsRevoked function within the knownhosts package, you can audit your SSH known hosts verification process to ensure it properly checks for revoked keys.
There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the golang.org/x/crypto/ssh/knownhosts package to version v0.52.0 or later, where the fix has been applied.
The fix ensures that both the 'key' and 'key.SignatureKey' are checked for revocation status, preventing the use of revoked SignatureKeys.
If updating immediately is not possible, review your SSH host key verification process to ensure revoked keys are not accepted, although no specific workaround commands are provided.