CVE-2026-39832 Overview
CVE-2026-39832 affects the golang.org/x/crypto SSH agent implementation. When clients add a key to a remote agent, constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. The remote agent received the key without these destination restrictions, allowing unrestricted use on the remote host. The flaw maps to [CWE-502: Deserialization of Untrusted Data] and impacts any Go application relying on the package to forward SSH keys with destination constraints.
Critical Impact
Destination restrictions attached to forwarded SSH keys are silently stripped, granting attackers on the remote host unrestricted use of the forwarded key against any reachable system.
Affected Products
- golang.org/x/crypto SSH agent client (prior to the fixed release)
- Go applications using agent.Add with constraint extensions
- In-memory keyrings created via NewKeyring() accepting unsupported constraint extensions
Discovery Timeline
- 2026-05-22 - CVE-2026-39832 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-39832
Vulnerability Analysis
The vulnerability resides in the SSH agent client code path that serializes AddedKey messages before sending them to a remote agent. Standard constraints such as confirmation requirements and lifetimes were serialized correctly. Constraint extensions, including restrict-destination-v00@openssh.com, were omitted from the serialized request. The remote agent therefore stored the key without any extension-based restriction.
The restrict-destination-v00@openssh.com extension is designed to bind a forwarded key to a specific chain of hosts. When the extension is stripped, an attacker who controls or compromises the intermediate host can use the forwarded key to authenticate to arbitrary destinations. This breaks a core defense intended to limit lateral movement through SSH agent forwarding.
A second issue compounds the risk: the in-memory keyring returned by NewKeyring() accepted keys carrying unsupported constraint extensions and silently ignored them. Callers assumed restrictions were enforced when they were not.
Root Cause
The client-side serialization routine for agent AddedKey requests did not include constraint extension fields when encoding the wire message. The keyring implementation also lacked validation logic to reject extensions it could not enforce, yielding silent failure semantics for security-critical constraints.
Attack Vector
Exploitation requires an attacker on a remote host that receives a forwarded key from a victim using the vulnerable Go SSH agent client. Because the destination restriction never reaches the remote agent, the attacker can use the forwarded key to authenticate to any system the key is valid for. The attack is network-reachable and requires no privileges or user interaction beyond the existing forwarding session.
No working proof-of-concept exploit is publicly available. The vulnerability mechanism is described in the Go Vulnerability Report GO-2026-5006 and the Go change list.
Detection Methods for CVE-2026-39832
Indicators of Compromise
- SSH authentications using forwarded agent keys against hosts outside the intended destination chain defined by restrict-destination-v00@openssh.com.
- Go binaries linking vulnerable versions of golang.org/x/crypto identified via software bill of materials (SBOM) scanning.
- Agent AddedKey traffic from Go clients that omits constraint extension blocks compared to OpenSSH reference clients.
Detection Strategies
- Inventory Go applications and libraries with govulncheck to flag dependencies matching GO-2026-5006.
- Compare expected destination restrictions in client configuration against actual agent state on remote hosts using ssh-add -L and constraint inspection.
- Audit SSH server logs for agent-forwarded key usage that originates from hosts where forwarding should have been restricted.
Monitoring Recommendations
- Correlate SSH userauth events across bastion and downstream hosts to identify key reuse beyond intended destinations.
- Alert on new outbound SSH sessions initiated from intermediate hosts that hold forwarded agent keys.
- Track deployments of Go binaries and rebuild pipelines for ongoing exposure to unpatched x/crypto versions.
How to Mitigate CVE-2026-39832
Immediate Actions Required
- Upgrade golang.org/x/crypto to the fixed version listed in GO-2026-5006 and rebuild all dependent binaries.
- Run govulncheck ./... across Go projects to identify call sites that reach the vulnerable agent serialization code.
- Rotate any SSH keys that were forwarded through vulnerable clients to environments outside your trust boundary.
Patch Information
The upstream fix serializes all constraint extensions in client AddedKey requests and rejects keys with unsupported constraint extensions in NewKeyring(). Details are tracked in the Go change list 778642, the Go issue 79435, and the golang-announce notice.
Workarounds
- Disable SSH agent forwarding for sessions that rely on destination-restricted keys until patched binaries are deployed.
- Use the native OpenSSH client (ssh-add, ssh -A) for workflows that require restrict-destination-v00@openssh.com enforcement.
- Restrict which hosts can act as intermediates for agent forwarding using AllowAgentForwarding no on untrusted servers.
# Configuration example
# /etc/ssh/sshd_config on intermediate hosts
AllowAgentForwarding no
# Verify Go module version after patching
go list -m golang.org/x/crypto
govulncheck ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
