A malformed input to the golang.org/x/crypto SSH agent can cause the library to construct an ed25519.PrivateKey from invalid wire bytes, which in turn triggers a panic when the key is used. The panic terminates the affected process, effectively disabling the SSH agent service for the impacted instance. The underlying weakness is an improper handling of malformed data that allows an attacker to crash the application, a classic denial of service scenario.

The vulnerability affects the golang.org/x/crypto/ssh/agent library provided by the Go community. No specific version ranges are listed in the CNA data, so any installation that uses this library without a subsequent patch is potentially exposed.

The CVSS score is not provided, and the EPSS score is unavailable, which suggests limited public exploitation data. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote: an adversary can send a specially crafted SSH agent request over the network to trigger the panic. Until an official fix is released, the exposed library can be exploited to perform a DoS attack against any service that relies on the agent, potentially impacting availability of SSH key authentication services.