CVE-2026-46598
ed25519 PrivateKey Panic from Malformed Wire Bytes
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | golang.org_x_crypto | to 0.52.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details on how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability occurs when a specially crafted input causes the creation of an ed25519.PrivateKey by casting malformed wire bytes. This malformed key leads to a panic (a runtime error) when it is used.
It specifically affects the golang.org/x/crypto package before version v0.52.0, particularly in the ssh/agent component of the package.
How can this vulnerability impact me? :
The vulnerability can cause client-side panics in applications using the affected golang.org/x/crypto/ssh/agent package when processing crafted inputs. This means that an attacker could potentially cause a denial of service by triggering these panics, disrupting normal operation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a panic triggered by malformed wire bytes when creating an ed25519.PrivateKey in the golang.org/x/crypto/ssh/agent package. Detection would involve monitoring for panics or crashes in applications using this package, especially those handling SSH agent communications.
Since the issue arises from processing crafted inputs, you can detect it by checking the version of the golang.org/x/crypto package in use. Versions before v0.52.0 are vulnerable.
No specific commands are provided in the available resources to detect the vulnerability directly on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the golang.org/x/crypto package to version v0.52.0 or later, where this vulnerability has been addressed.
Until the fix is applied, avoid processing untrusted or crafted SSH agent inputs that could trigger the panic.