Description
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
Published: 2026-05-22
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when an SSH server uses the CertChecker callback without configuring either the IsUserAuthority or IsHostAuthority functions. A client that presents an X.509 certificate can trigger a nil‑pointer dereference, causing the Go crypto SSH server to panic. This panic stops the server process, making the service unavailable to legitimate users; it does not expose stored data, but it disrupts availability and can facilitate a denial‑of‑service attack.

Affected Systems

The flaw affects any deployment of golang.org/x/crypto/ssh that employs CertChecker as the public key callback while leaving the authority callbacks unset. No specific version range is documented in the vulnerability record, so any version before the fix should be considered vulnerable.

Risk and Exploitability

There is no EPSS score reported, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or at least unnamed exploitation evidence to date. However, the flaw is exploitable by an attacker who can control the client certificate presented to the server. The attack path is straightforward: connect to the SSH server, supply any certificate, and the server will panic, leading to a denial of service. The lack of mitigations on the server side and the path of execution via the public key callback mean the vulnerability is both actionable and potentially impactful for services relying on this library.

Generated by OpenCVE AI on May 22, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest golang.org/x/crypto/ssh release that incorporates the nil‑check and error return change.
  • Configure the SSH server to set either the IsUserAuthority or IsHostAuthority callback functions when using CertChecker, ensuring the callback is not nil.
  • If an immediate update is impossible, avoid using CertChecker as the public key callback or temporarily disable certificate handling until the patched version is installed.

Generated by OpenCVE AI on May 22, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 22 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
Title Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T02:31:26.982Z

Reserved: 2026-04-07T18:13:03.529Z

Link: CVE-2026-39835

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-22T04:16:24.530

Modified: 2026-05-22T04:16:24.530

Link: CVE-2026-39835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T04:30:25Z

Weaknesses