Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
Summary
| CVE | CVE-2026-39830 |
|---|---|
| State | PUBLISHED |
| Assigner | Go |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-22 04:16:22 UTC |
| Updated | 2026-07-10 12:16:45 UTC |
| Description | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS: 0.005330000 probability, percentile 0.412280000 (date 2026-07-12)
Problem Types: CWE-119 | CWE-772 | CWE-833: Deadlock | CWE-772 Missing Release of Resource after Effective Lifetime
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| groups.google.com/g/golang-announce/c/a082jnz-LvI | [email protected] | groups.google.com | Mailing List |
| access.redhat.com/errata/RHSA-2026:36797 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37278 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37272 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:29455 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36808 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-39830 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37387 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37268 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36199 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37275 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36207 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| go.dev/cl/781664 | [email protected] | go.dev | Issue Tracking |
| access.redhat.com/errata/RHSA-2026:36319 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| pkg.go.dev/vuln/GO-2026-5017 | [email protected] | pkg.go.dev | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:37296 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37271 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| go.dev/cl/781640 | [email protected] | go.dev | Issue Tracking |
| go.dev/issue/79564 | [email protected] | go.dev | Issue Tracking |
| access.redhat.com/errata/RHSA-2026:35833 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36625 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36648 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37072 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36796 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37286 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39830.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: NCC Group Cryptography Services, sponsored by Teleport (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-22T04:01:38.517Z | Reported to Red Hat. |
| ADP | 2026-05-22T02:31:27.208Z | Made public. |
Solutions
ADP: RHSA-2026:36796: RHEM 1.0 for RHEL 9
ADP: RHSA-2026:36199: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:37072: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
ADP: RHSA-2026:35833: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:29455: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:36808: DevWorkspace Operator 0.42
ADP: RHSA-2026:36625: Red Hat Advanced Cluster Security for Kubernetes 4.10
ADP: RHSA-2026:36207: Red Hat Advanced Cluster Security for Kubernetes 4.11
ADP: RHSA-2026:36319: Red Hat Advanced Cluster Security for Kubernetes 4.9
ADP: RHSA-2026:36651: Red Hat Edge Manager 1.0
ADP: RHSA-2026:37275: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:36648: Red Hat OpenShift Builds 1.7.4
ADP: RHSA-2026:37387: Red Hat Openshift Data Foundation 4.22
ADP: RHSA-2026:36797: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37271: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37268: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37272: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37278: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37286: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:37296: Red Hat Trusted Artifact Signer 1.4
Workarounds
ADP: To mitigate this denial of service vulnerability, restrict network access to any service that utilizes the `golang.org/x/crypto/ssh` library and is exposed to untrusted networks. Implement firewall rules to allow connections only from trusted hosts or networks. This action limits the ability of malicious peers to send unsolicited global request responses. A restart of the affected service may be necessary for the new network rules to be applied effectively.