CVE-2026-46598
Analyzed Analyzed - Analysis Complete
ed25519 PrivateKey Panic from Malformed Wire Bytes

Publication date: 2026-05-22

Last updated on: 2026-05-28

Assigner: Go Project

Description
For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-05-28
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-46598
EUVD
EUVD-2026-31402
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang crypto to 0.52.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when a specially crafted input causes the creation of an ed25519.PrivateKey by casting malformed wire bytes. This malformed key leads to a panic (a runtime error) when it is used.

It specifically affects the golang.org/x/crypto package before version v0.52.0, particularly in the ssh/agent component of the package.

Compliance Impact

The provided information does not include any details on how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The vulnerability can cause client-side panics in applications using the affected golang.org/x/crypto/ssh/agent package when processing crafted inputs. This means that an attacker could potentially cause a denial of service by triggering these panics, disrupting normal operation.

Detection Guidance

This vulnerability involves a panic triggered by malformed wire bytes when creating an ed25519.PrivateKey in the golang.org/x/crypto/ssh/agent package. Detection would involve monitoring for panics or crashes in applications using this package, especially those handling SSH agent communications.

Since the issue arises from processing crafted inputs, you can detect it by checking the version of the golang.org/x/crypto package in use. Versions before v0.52.0 are vulnerable.

No specific commands are provided in the available resources to detect the vulnerability directly on a network or system.

Mitigation Strategies

The primary mitigation step is to upgrade the golang.org/x/crypto package to version v0.52.0 or later, where this vulnerability has been addressed.

Until the fix is applied, avoid processing untrusted or crafted SSH agent inputs that could trigger the panic.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart