Vulnerability-Lookup

WID-SEC-W-2026-1653

Vulnerability from csaf_certbund - Published: 2026-05-21 22:00 - Updated: 2026-06-08 22:00

Summary

Golang Go-Module (Net, Image, Crypto: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Go ist eine quelloffene Programmiersprache.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um erweiterte Privilegien zu erlangen, Cross-Site-Scripting-Angriffe durchzuführen, Sicherheitsmaßnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-25680

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Golang Go net module <0.55.0 Golang / Go		net module <0.55.0

CVE-2026-25681

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Golang Go net module <0.55.0 Golang / Go		net module <0.55.0

CVE-2026-27136

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Golang Go net module <0.55.0 Golang / Go		net module <0.55.0

CVE-2026-39821

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Golang Go net module <0.55.0 Golang / Go		net module <0.55.0

CVE-2026-42502

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Golang Go net module <0.55.0 Golang / Go		net module <0.55.0

CVE-2026-42506

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Golang Go net module <0.55.0 Golang / Go		net module <0.55.0

CVE-2026-33809

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go image module <0.41.0 Golang / Go		image module <0.41.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-42500

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go image module <0.41.0 Golang / Go		image module <0.41.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39827

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39828

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39829

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39830

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39831

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39832

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39833

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39834

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-39835

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-42508

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-46595

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-46597

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-46598

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Golang Go crypto module <0.52.0 Golang / Go		crypto module <0.52.0
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

References

26 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://groups.google.com/g/golang-announce/c/iI-…	external
https://groups.google.com/g/golang-announce/c/uhY…	external
https://groups.google.com/g/golang-announce/c/a08…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3334.html	external
https://access.redhat.com/errata/RHSA-2026:23264	external
https://access.redhat.com/errata/RHSA-2026:23262	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://lists.opensuse.org/archives/list/security…	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3348.html	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Go ist eine quelloffene Programmiersprache.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um erweiterte Privilegien zu erlangen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1653 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1653.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1653 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1653"
      },
      {
        "category": "external",
        "summary": "Vulnerabilities in golang.org/x/net vom 2026-05-21",
        "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
      },
      {
        "category": "external",
        "summary": "Vulnerabilities in golang.org/x/image vom 2026-05-21",
        "url": "https://groups.google.com/g/golang-announce/c/uhYX90BlBvI"
      },
      {
        "category": "external",
        "summary": "Vulnerabilities in golang.org/x/crypto vom 2026-05-21",
        "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10842-1 vom 2026-05-24",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RA6PKGM4RN2T2DFSXXNZRPYQVODGU2NO/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10845-1 vom 2026-05-24",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MHOGVSQU7PY2NM3HOJ74FFNGCKPQAWFO/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10908-1 vom 2026-06-02",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2VIBP73YHEJH5M2ITECIJTBYUZ4FOZFU/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20854-1 vom 2026-06-02",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J65AQ42VT55IOXXFWFYBKROOWSYNGFDE/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10933-1 vom 2026-06-06",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NPIJMUPYT3P56R7MSRBUIOZYCB6ZO65J/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10949-1 vom 2026-06-07",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HNXJU75M7TWJ7VROUNL3W5GKG5NO4PWW/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10941-1 vom 2026-06-07",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZSXJ5ATZVALMBIFYBSJ3K2EL4SD2BAUM/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10923-1 vom 2026-06-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RZPD6LKSJ4W7P4HDPG2WAORVZ6FW66HB/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20902-1 vom 2026-06-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WRX7QSYY4H3GAFKW4L37MDF543ZQRKHS/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2285-1 vom 2026-06-05",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026599.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10921-1 vom 2026-06-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EFQITHNC7L7OCGIHU3ZTM3PZFHVW3KHV/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-126 vom 2026-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-126.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-127 vom 2026-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-127.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3334 vom 2026-06-09",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3334.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:23264 vom 2026-06-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:23264"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:23262 vom 2026-06-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:23262"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-109 vom 2026-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-109.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-108 vom 2026-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-108.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:0195-1 vom 2026-06-09",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3KY4XRJ2VHJF7MAZ7RPSSNU5NESAI7IN/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3348 vom 2026-06-09",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3348.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-128 vom 2026-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-128.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Golang Go-Module (Net, Image, Crypto: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-08T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-09T08:41:56.895+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1653",
      "initial_release_date": "2026-05-21T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-21T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-25T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von European Union Vulnerability Database und openSUSE aufgenommen"
        },
        {
          "date": "2026-05-31T22:00:00.000+00:00",
          "number": "3",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-33419"
        },
        {
          "date": "2026-06-02T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-06-07T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von openSUSE und SUSE aufgenommen"
        },
        {
          "date": "2026-06-08T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Amazon, Red Hat und openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "net module \u003c0.55.0",
                "product": {
                  "name": "Golang Go net module \u003c0.55.0",
                  "product_id": "T054525"
                }
              },
              {
                "category": "product_version",
                "name": "net module 0.55.0",
                "product": {
                  "name": "Golang Go net module 0.55.0",
                  "product_id": "T054525-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:net_module__0.55.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "crypto module \u003c0.52.0",
                "product": {
                  "name": "Golang Go crypto module \u003c0.52.0",
                  "product_id": "T054527"
                }
              },
              {
                "category": "product_version",
                "name": "crypto module 0.52.0",
                "product": {
                  "name": "Golang Go crypto module 0.52.0",
                  "product_id": "T054527-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:crypto_module__0.52.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "image module \u003c0.41.0",
                "product": {
                  "name": "Golang Go image module \u003c0.41.0",
                  "product_id": "T054528"
                }
              },
              {
                "category": "product_version",
                "name": "image module 0.41.0",
                "product": {
                  "name": "Golang Go image module 0.41.0",
                  "product_id": "T054528-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:image_module__0.41.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Go"
          }
        ],
        "category": "vendor",
        "name": "Golang"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T054596",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-25680",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "398363",
          "T054525"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-25680"
    },
    {
      "cve": "CVE-2026-25681",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "398363",
          "T054525"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-25681"
    },
    {
      "cve": "CVE-2026-27136",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "398363",
          "T054525"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-27136"
    },
    {
      "cve": "CVE-2026-39821",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "398363",
          "T054525"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39821"
    },
    {
      "cve": "CVE-2026-42502",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "398363",
          "T054525"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-42502"
    },
    {
      "cve": "CVE-2026-42506",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "398363",
          "T054525"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-42506"
    },
    {
      "cve": "CVE-2026-33809",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054528",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-33809"
    },
    {
      "cve": "CVE-2026-42500",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054528",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-42500"
    },
    {
      "cve": "CVE-2026-39827",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39827"
    },
    {
      "cve": "CVE-2026-39828",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39828"
    },
    {
      "cve": "CVE-2026-39829",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39829"
    },
    {
      "cve": "CVE-2026-39830",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39830"
    },
    {
      "cve": "CVE-2026-39831",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39831"
    },
    {
      "cve": "CVE-2026-39832",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39832"
    },
    {
      "cve": "CVE-2026-39833",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39833"
    },
    {
      "cve": "CVE-2026-39834",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39834"
    },
    {
      "cve": "CVE-2026-39835",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-39835"
    },
    {
      "cve": "CVE-2026-42508",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-42508"
    },
    {
      "cve": "CVE-2026-46595",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-46595"
    },
    {
      "cve": "CVE-2026-46597",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-46597"
    },
    {
      "cve": "CVE-2026-46598",
      "product_status": {
        "known_affected": [
          "T054596",
          "T002207",
          "67646",
          "T054527",
          "398363"
        ]
      },
      "release_date": "2026-05-21T22:00:00.000+00:00",
      "title": "CVE-2026-46598"
    }
  ]
}

CVE-2026-25680 (GCVE-0-2026-25680)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:00

Title

Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

Summary

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/781702
https://go.dev/issue/79573
https://groups.google.com/g/golang-announce/c/iI-…
https://pkg.go.dev/vuln/GO-2026-5028

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

IPC Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25680",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:00:30.926552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:00:35.395Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "IPC Labs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.805Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/781702"
        },
        {
          "url": "https://go.dev/issue/79573"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5028"
        }
      ],
      "title": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25680",
    "datePublished": "2026-05-22T15:01:21.805Z",
    "dateReserved": "2026-02-05T01:35:43.737Z",
    "dateUpdated": "2026-05-22T17:00:35.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25681 (GCVE-0-2026-25681)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:46

Title

Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

Summary

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79574
https://groups.google.com/g/golang-announce/c/iI-…
https://go.dev/cl/781703
https://pkg.go.dev/vuln/GO-2026-5029

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

ensy

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25681",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:46:00.775026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:46:20.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ensy"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.975Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79574"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://go.dev/cl/781703"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5029"
        }
      ],
      "title": "Invoking  incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25681",
    "datePublished": "2026-05-22T15:01:21.975Z",
    "dateReserved": "2026-02-05T01:35:43.738Z",
    "dateUpdated": "2026-05-22T17:46:20.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27136 (GCVE-0-2026-27136)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 16:59

Title

Invoking duplicate attributes can cause XSS in golang.org/x/net/html

Summary

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79575
https://groups.google.com/g/golang-announce/c/iI-…
https://go.dev/cl/781685
https://pkg.go.dev/vuln/GO-2026-5030

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

ensy

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27136",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T16:59:35.355098Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T16:59:52.807Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ensy"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:22.111Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79575"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://go.dev/cl/781685"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5030"
        }
      ],
      "title": "Invoking  duplicate attributes can cause XSS in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27136",
    "datePublished": "2026-05-22T15:01:22.111Z",
    "dateReserved": "2026-02-17T19:57:28.434Z",
    "dateUpdated": "2026-05-22T16:59:52.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33809 (GCVE-0-2026-33809)

Vulnerability from cvelistv5 – Published: 2026-03-25 18:24 – Updated: 2026-04-06 21:12

Title

OOM from malicious IFD offset in golang.org/x/image/tiff

Summary

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

3 references

URL	Tags
https://go.dev/cl/757660
https://go.dev/issue/78267
https://pkg.go.dev/vuln/GO-2026-4815

Impacted products

1 product

Vendor	Product	Version
golang.org/x/image	golang.org/x/image/tiff	Affected: 0 , < 0.38.0 (semver)

Credits

Andy Gill, ZephrSec Ltd

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33809",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T20:05:32.763729Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T20:05:50.620Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/image/tiff",
          "product": "golang.org/x/image/tiff",
          "programRoutines": [
            {
              "name": "buffer.fill"
            },
            {
              "name": "buffer.ReadAt"
            },
            {
              "name": "Decode"
            },
            {
              "name": "DecodeConfig"
            },
            {
              "name": "buffer.Slice"
            }
          ],
          "vendor": "golang.org/x/image",
          "versions": [
            {
              "lessThan": "0.38.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Andy Gill, ZephrSec Ltd"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T21:12:56.092Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/757660"
        },
        {
          "url": "https://go.dev/issue/78267"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4815"
        }
      ],
      "title": "OOM from malicious IFD offset in golang.org/x/image/tiff"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33809",
    "datePublished": "2026-03-25T18:24:04.222Z",
    "dateReserved": "2026-03-23T20:35:32.813Z",
    "dateUpdated": "2026-04-06T21:12:56.092Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39821 (GCVE-0-2026-39821)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-27 13:13

Title

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Summary

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Severity

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-1289 - Improper Validation of Unsafe Equivalence in Input

Assigner

References

4 references

URL	Tags
https://go.dev/cl/767220
https://go.dev/issue/78760
https://groups.google.com/g/golang-announce/c/iI-…
https://pkg.go.dev/vuln/GO-2026-5026

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/idna	Affected: 0 , < 0.55.0 (semver)

Credits

KC1zs4 (https://github.com/KC1zs4)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39821",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-23T03:55:58.522682Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1289",
                "description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T13:13:15.606Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/idna",
          "product": "golang.org/x/net/idna",
          "programRoutines": [
            {
              "name": "Profile.process"
            },
            {
              "name": "Profile.ToASCII"
            },
            {
              "name": "Profile.ToUnicode"
            },
            {
              "name": "ToASCII"
            },
            {
              "name": "ToUnicode"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "KC1zs4 (https://github.com/KC1zs4)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(\"xn--example-.com\") incorrectly returns the name \"example.com\" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject \"example.com\" but permit \"xn--example-.com\". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name \"example.com\"."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.462Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/767220"
        },
        {
          "url": "https://go.dev/issue/78760"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5026"
        }
      ],
      "title": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39821",
    "datePublished": "2026-05-22T15:01:21.462Z",
    "dateReserved": "2026-04-07T18:13:03.526Z",
    "dateUpdated": "2026-05-27T13:13:15.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39827 (GCVE-0-2026-39827)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:35

Title

Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

Summary

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

References

4 references

URL	Tags
https://go.dev/issue/35127
https://go.dev/cl/781320
https://groups.google.com/g/golang-announce/c/a08…
https://pkg.go.dev/vuln/GO-2026-5016

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

Ziyan Zhou

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39827",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:35:34.770589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:35:40.472Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "channel.Reject"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ziyan Zhou"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection\u0027s internal state and released for garbage collection."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.064Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/35127"
        },
        {
          "url": "https://go.dev/cl/781320"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5016"
        }
      ],
      "title": "Invoking  memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39827",
    "datePublished": "2026-05-22T02:31:27.064Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:35:40.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39828 (GCVE-0-2026-39828)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 17:44

Title

Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

Summary

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Severity

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-863 - Incorrect Authorization

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79562
https://groups.google.com/g/golang-announce/c/a08…
https://go.dev/cl/781621
https://pkg.go.dev/vuln/GO-2026-5014

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39828",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:43:55.428395Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:44:19.986Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "connection.serverAuthenticate"
            },
            {
              "name": "NewServerConn"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:26.883Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79562"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://go.dev/cl/781621"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5014"
        }
      ],
      "title": "Invoking  bypass of certificate restrictions in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39828",
    "datePublished": "2026-05-22T02:31:26.883Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T17:44:19.986Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39829 (GCVE-0-2026-39829)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:53

Title

Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

Summary

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1176 - Inefficient CPU Computation

Assigner

References

5 references

URL	Tags
https://go.dev/issue/79565
https://groups.google.com/g/golang-announce/c/a08…
https://go.dev/cl/781641
https://go.dev/cl/781661
https://pkg.go.dev/vuln/GO-2026-5018

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39829",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:52:38.155082Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:53:33.377Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "parseRSA"
            },
            {
              "name": "checkDSAParams"
            },
            {
              "name": "parseDSA"
            },
            {
              "name": "Dial"
            },
            {
              "name": "NewClientConn"
            },
            {
              "name": "NewServerConn"
            },
            {
              "name": "NewSignerFromKey"
            },
            {
              "name": "ParseAuthorizedKey"
            },
            {
              "name": "ParseKnownHosts"
            },
            {
              "name": "ParsePrivateKey"
            },
            {
              "name": "ParsePrivateKeyWithPassphrase"
            },
            {
              "name": "ParsePublicKey"
            },
            {
              "name": "ParseRawPrivateKey"
            },
            {
              "name": "ParseRawPrivateKeyWithPassphrase"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1176: Inefficient CPU Computation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.324Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79565"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://go.dev/cl/781641"
        },
        {
          "url": "https://go.dev/cl/781661"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5018"
        }
      ],
      "title": "Invoking  pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39829",
    "datePublished": "2026-05-22T02:31:27.324Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:53:33.377Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39830 (GCVE-0-2026-39830)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:54

Title

Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

Summary

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-833 - Deadlock

Assigner

References

5 references

URL	Tags
https://go.dev/issue/79564
https://groups.google.com/g/golang-announce/c/a08…
https://go.dev/cl/781640
https://go.dev/cl/781664
https://pkg.go.dev/vuln/GO-2026-5017

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39830",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:54:26.306252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:54:54.686Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "mux.SendRequest"
            },
            {
              "name": "mux.handleGlobalPacket"
            },
            {
              "name": "channel.handlePacket"
            },
            {
              "name": "channel.SendRequest"
            },
            {
              "name": "Client.Listen"
            },
            {
              "name": "Client.ListenTCP"
            },
            {
              "name": "Client.ListenUnix"
            },
            {
              "name": "Dial"
            },
            {
              "name": "NewClientConn"
            },
            {
              "name": "NewServerConn"
            },
            {
              "name": "Session.CombinedOutput"
            },
            {
              "name": "Session.Output"
            },
            {
              "name": "Session.RequestPty"
            },
            {
              "name": "Session.RequestSubsystem"
            },
            {
              "name": "Session.Run"
            },
            {
              "name": "Session.SendRequest"
            },
            {
              "name": "Session.Setenv"
            },
            {
              "name": "Session.Shell"
            },
            {
              "name": "Session.Signal"
            },
            {
              "name": "Session.Start"
            },
            {
              "name": "Session.WindowChange"
            },
            {
              "name": "tcpListener.Close"
            },
            {
              "name": "unixListener.Close"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection\u0027s read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-833: Deadlock",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.208Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79564"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://go.dev/cl/781640"
        },
        {
          "url": "https://go.dev/cl/781664"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5017"
        }
      ],
      "title": "Invoking  client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39830",
    "datePublished": "2026-05-22T02:31:27.208Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:54:54.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39831 (GCVE-0-2026-39831)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:52

Title

Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

Summary

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79566
https://groups.google.com/g/golang-announce/c/a08…
https://go.dev/cl/781662
https://pkg.go.dev/vuln/GO-2026-5019

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39831",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:51:41.233749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:52:08.344Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "CertChecker.CheckCert"
            },
            {
              "name": "skECDSAPublicKey.Verify"
            },
            {
              "name": "skEd25519PublicKey.Verify"
            },
            {
              "name": "connection.serverAuthenticate"
            },
            {
              "name": "CertChecker.Authenticate"
            },
            {
              "name": "CertChecker.CheckHostKey"
            },
            {
              "name": "Certificate.Verify"
            },
            {
              "name": "Dial"
            },
            {
              "name": "NewClientConn"
            },
            {
              "name": "NewServerConn"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a \"no-touch-required\" extension in Permissions.Extensions from PublicKeyCallback."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.436Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79566"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://go.dev/cl/781662"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5019"
        }
      ],
      "title": "Invoking  bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39831",
    "datePublished": "2026-05-22T02:31:27.436Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:52:08.344Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1653

CVE-2026-25680 (GCVE-0-2026-25680)

CVE-2026-25681 (GCVE-0-2026-25681)

CVE-2026-27136 (GCVE-0-2026-27136)

CVE-2026-33809 (GCVE-0-2026-33809)

CVE-2026-39821 (GCVE-0-2026-39821)

CVE-2026-39827 (GCVE-0-2026-39827)

CVE-2026-39828 (GCVE-0-2026-39828)

CVE-2026-39829 (GCVE-0-2026-39829)

CVE-2026-39830 (GCVE-0-2026-39830)

CVE-2026-39831 (GCVE-0-2026-39831)

Tags

Sightings

Nomenclature