Description
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Published: 2026-05-22
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the RSA and DSA public key parsers of golang.org/x/crypto/ssh, which lack size restrictions on key parameters. A malicious public key containing an exceedingly large modulus or DSA parameter can trigger several minutes of intense CPU usage during signature verification. This results in a denial‑of‑service condition for the SSH service without requiring any prior authentication.

Affected Systems

This flaw affects the golang.org/x/crypto/ssh library. Versions released before the fix do not enforce maximum key lengths for RSA and DSA, while recent releases enforce a maximum RSA modulus of 8192 bits and validate DSA parameters in accordance with FIPS 186‑2.

Risk and Exploitability

The CVSS score for this issue is not provided in the data, and no EPSS value is available, indicating that the likelihood of exploitation cannot be quantified here. The vulnerability is not listed in CISA KEV, but it can be triggered by any unauthenticated client attempting public‑key authentication. An attacker can craft a specially sized key to consume compute resources and potentially degrade service availability.

Generated by OpenCVE AI on May 22, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update golang.org/x/crypto/ssh to the latest released version that caps RSA modulus size at 8192 bits and validates DSA parameters.
  • Configure the SSH daemon to use only approved key exchanges and enforce key length checks where possible.
  • Audit authentication logs for unusually long signature verification durations and investigate any suspected abuse.

Generated by OpenCVE AI on May 22, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 22 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Title Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T02:31:27.324Z

Reserved: 2026-04-07T18:13:03.528Z

Link: CVE-2026-39829

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-22T04:16:22.310

Modified: 2026-05-22T04:16:22.310

Link: CVE-2026-39829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T04:30:25Z

Weaknesses