CVE-2026-39829 - Vulnerability Details

- Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Published: 2026-05-22

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the RSA and DSA public key parsers of golang.org/x/crypto/ssh, which lack size restrictions on key parameters. A malicious public key containing an exceedingly large modulus or DSA parameter can trigger several minutes of intense CPU usage during signature verification. This results in a denial‑of‑service condition for the SSH service without requiring any prior authentication.

Affected Systems

This flaw affects the golang.org/x/crypto/ssh library. Versions released before the fix do not enforce maximum key lengths for RSA and DSA, while recent releases enforce a maximum RSA modulus of 8192 bits and validate DSA parameters in accordance with FIPS 186‑2.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score is less than 1%, suggesting low probability of exploitation. The vulnerability is not listed in CISA KEV. It can be triggered by unauthenticated clients during public‑key authentication, allowing an attacker to craft a key with large parameters to consume compute resources and degrade service availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

golang.org/x/crypto

golang.org/x/crypto/ssh

unaffected

Version	Status	Constraints
`0`	affected	< 0.52.0

Configuration 1 [-]

cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*

No data.

Vendor Product Confidence Versions

Golang

Ssh

100%

Version	Status	Scheme	Platform
`[0,0.52.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update golang.org/x/crypto/ssh to the latest released version that caps RSA modulus size at 8192 bits and validates DSA parameters.
Configure the SSH daemon to use only approved key exchanges and enforce key length checks where possible.
Audit authentication logs for unusually long signature verification durations and investigate any suspected abuse.

Generated by OpenCVE AI on June 2, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://go.dev/cl/781641
https://go.dev/cl/781661
https://go.dev/issue/79565
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5018

History

Tue, 02 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Golang crypto
Weaknesses		CWE-347
CPEs		cpe:2.3:a:golang:crypto::::::go::*
Vendors & Products		Golang crypto

Fri, 22 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-718

Fri, 22 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Fri, 22 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 22 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Golang Golang ssh
Vendors & Products		Golang Golang ssh

Fri, 22 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Fri, 22 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Title		Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
References		https://go.dev/cl/781641 https://go.dev/cl/781661 https://go.dev/issue/79565 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5018

Subscriptions

Golang Crypto Ssh

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-05-22T02:31:27.324Z

Updated: 2026-05-22T18:53:33.377Z

Reserved: 2026-04-07T18:13:03.528Z

Link: CVE-2026-39829

Vulnrichment

Updated: 2026-05-22T18:53:29.195Z

NVD

Status : Analyzed

Published: 2026-05-22T04:16:22.310

Modified: 2026-06-02T16:33:46.800

Link: CVE-2026-39829

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T17:30:13Z

Weaknesses

CWE-20
Improper Input Validation
CWE-347
Improper Verification of Cryptographic Signature
CWE-718

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object