Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39827

CVE-2026-39827: Golang Crypto SSH DOS Vulnerability

CVE-2026-39827 is a denial of service vulnerability in Golang Crypto SSH where authenticated clients can crash servers through repeated rejected channel requests. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-39827 Overview

CVE-2026-39827 is a memory exhaustion denial of service vulnerability in the golang.org/x/crypto/ssh package. An authenticated SSH client can repeatedly open channels that the server rejects, causing unbounded memory growth on the server. Rejected channels are not removed from the connection's internal state, preventing garbage collection. Continued abuse crashes the server process and disconnects every active session. The flaw is tracked under [CWE-924] and reported as GO-2026-5016. The fix releases rejected channel state so the runtime can reclaim memory.

Critical Impact

An authenticated client can crash any SSH server built on golang.org/x/crypto/ssh, terminating connections for all users on the host.

Affected Products

  • golang.org/x/crypto/ssh (Go module)
  • Applications and services that embed the Go SSH server library
  • Multi-user SSH gateways and bastion hosts built on Go

Discovery Timeline

  • 2026-05-22 - CVE-2026-39827 published to NVD
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-39827

Vulnerability Analysis

The vulnerability resides in the SSH connection state machine of golang.org/x/crypto/ssh. When a client sends an SSH_MSG_CHANNEL_OPEN request and the server replies with SSH_MSG_CHANNEL_OPEN_FAILURE, the rejected channel object is retained in the connection's channel table. Each rejected attempt allocates new state that is never freed. An authenticated attacker can loop the open request indefinitely to grow the server's heap until the process is killed by the operating system or panics on allocation failure. Because the Go SSH server multiplexes all users through the same process, a single abusive session terminates every other session on the host. The issue is classified as an Improper Enforcement of Message Integrity During Transmission failure ([CWE-924]) but operationally behaves as a resource exhaustion bug.

Root Cause

The connection bookkeeping code retained references to channel structures after sending a rejection response. The garbage collector could not reclaim the memory because the connection map still held live pointers. The patched version removes rejected channels from the internal map after the failure message is sent.

Attack Vector

Exploitation requires valid SSH credentials and network reachability to the server. The attacker repeatedly issues channel open requests for channel types the server will refuse, such as unsupported subsystems. No user interaction is needed and complexity is low. Refer to the Go.dev issue discussion and the upstream patch for protocol-level specifics.

Detection Methods for CVE-2026-39827

Indicators of Compromise

  • Rapidly growing resident memory in processes linking golang.org/x/crypto/ssh
  • High volume of SSH_MSG_CHANNEL_OPEN_FAILURE responses from a single authenticated session
  • SSH daemon crashes followed by mass client disconnects and OOM killer entries in system logs

Detection Strategies

  • Monitor per-process memory growth for Go-based SSH services and alert on sustained increases without matching session counts
  • Inspect SSH server logs for repeated channel rejections originating from one authenticated user or source IP
  • Capture SSH transcripts at debug logging level to count channel open failures per connection over short windows

Monitoring Recommendations

  • Track operating system OOM kill events and correlate with restarts of SSH gateway services
  • Set rate thresholds on channel open failures per session and trigger alerts when they exceed normal client behavior
  • Inventory Go binaries in production using go version -m to identify those still linking vulnerable golang.org/x/crypto versions

How to Mitigate CVE-2026-39827

Immediate Actions Required

  • Upgrade golang.org/x/crypto to the fixed version listed in GO-2026-5016 and rebuild affected binaries
  • Audit all internally developed and third-party Go services that expose SSH endpoints
  • Restrict SSH access to trusted networks and enforce strong authentication to reduce the attacker pool

Patch Information

The fix is committed upstream in Go change 781320 and announced via the golang-announce mailing list. Update golang.org/x/crypto with go get golang.org/x/crypto@latest and recompile. Container images and statically linked binaries must be rebuilt; runtime package updates alone do not fix Go applications.

Workarounds

  • Apply per-user connection and channel rate limits at the SSH server or network firewall
  • Restart SSH services on a schedule until patched binaries are deployed to release leaked memory
  • Revoke credentials for accounts that do not require SSH channel access beyond a session shell
bash
# Update golang.org/x/crypto and rebuild affected binaries
go get golang.org/x/crypto@latest
go mod tidy
go build ./...

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.