CVE-2026-39830 - Vulnerability Details

Analysis

Impact

A malicious SSH peer can send unsolicited global request responses that overflow an internal buffer, blocking the SSH connection’s read loop. The blocked goroutine cannot be released by calling Close(), resulting in a resource leak per connection. The library now discards unsolicited global responses, mitigating the denial of service but the root issue remains if a patch is not applied.

Affected Systems

Any application that imports and uses the golang.org/x/crypto/ssh library is potentially affected. No specific version information is available; the vulnerability applies to all versions prior to the fix, and the patch will be included in a forthcoming release of the library.

Risk and Exploitability

The vulnerability is exploitable over the network by a remote SSH client. Because the attacker can send large numbers of global request responses, the exhausted buffer causes the server to deadlock and exhaust resources, effectively denying service to legitimate users. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The CVSS score is not provided, but the impact and confirmation of exploitation in the description indicate a high severity. The attack vector is likely remote SSH traffic, and the fix now discards unsolicited responses, but until the updated library is deployed the risk remains.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the golang.org/x/crypto/ssh package to the latest release that includes the fix for the global request response buffer overflow.
Configure the SSH server to reject unsolicited global requests or to log and close connections that send unexpected global responses, limiting the potential for resource exhaustion.
Deploy a rate limiter that caps the number of global request responses per connection, preventing buffer exhaustion.

Generated by OpenCVE AI on May 22, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

Link	Providers
https://go.dev/cl/781640
https://go.dev/cl/781664
https://go.dev/issue/79564
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5017

History

Fri, 22 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770 CWE-787

Fri, 22 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Title		Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
References		https://go.dev/cl/781640 https://go.dev/cl/781664 https://go.dev/issue/79564 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5017

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object