A buffer size calculation in golang.org/x/crypto/ssh overflows when a client attempts to write more than 4 gigabytes across a single SSH channel Write call. The overflow causes the internal loop that transmits data packets to spin indefinitely without transmitting payload, sending empty packets continuously until the process is killed. This results in a denial of service by exhausting CPU and network resources on whichever side of the channel handles the loop, without compromising confidentiality or integrity.

The vulnerability affects the golang.org/x/crypto package, specifically the ssh module. No explicit version information is provided, so any deployment that uses a pre‑fix release of this module could be vulnerable. Administrators should verify whether their code or binaries include the patched version that switches to int64 arithmetic.

The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation at the time of analysis. The CVSS score is 9.1, but the vulnerability’s denial of service nature carries moderate to high risk, particularly for exposed SSH services that could be triggered remotely by an attacker uploading large payloads (the likely remote attack vector is inferred from the SSH protocol's remote nature). The lack of active exploits suggests the risk is primarily in the self‑service impact on the affected system rather than in zero‑day attacks.