Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39835

CVE-2026-39835: Golang Crypto SSH Server DOS Vulnerability

CVE-2026-39835 is a denial of service vulnerability in Golang Crypto SSH servers that allows clients to cause panic using certificates. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-39835 Overview

CVE-2026-39835 affects the golang.org/x/crypto/ssh package. SSH servers that use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority can be forced into a panic by a client presenting a certificate. The panic occurs because the package dereferences nil authority callbacks during certificate validation. Remote clients can trigger the condition without authentication, producing a denial of service against the SSH server process. The fix changes CertChecker to return an error instead of panicking when these callbacks are nil. The issue is tracked as GO-2026-5015 and is classified under [CWE-295] Improper Certificate Validation.

Critical Impact

Unauthenticated remote clients can crash Go-based SSH servers that embed CertChecker without configured authority callbacks, resulting in service disruption.

Affected Products

  • golang.org/x/crypto SSH package versions prior to the fixed release
  • Go applications embedding CertChecker as a PublicKeyCallback
  • SSH servers built on golang:crypto that omit IsUserAuthority and IsHostAuthority configuration

Discovery Timeline

  • 2026-05-22 - CVE-2026-39835 published to NVD
  • 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-39835

Vulnerability Analysis

The vulnerability resides in the CertChecker type within the golang.org/x/crypto/ssh package. CertChecker is commonly used as a PublicKeyCallback in SSH server implementations to validate client certificates issued by a configured certificate authority. The type exposes two callback fields, IsUserAuthority and IsHostAuthority, that the caller is expected to populate to determine whether a presented certificate authority is trusted for user or host authentication.

When a server registers CertChecker.Authenticate as a public key callback but leaves these authority callbacks unset, the certificate validation path invokes a nil function value. The resulting nil dereference produces a runtime panic. Because the panic occurs inside the connection handler before authentication completes, any unauthenticated client capable of reaching the SSH service can trigger it by presenting a certificate-formatted public key.

The upstream fix modifies CertChecker so the function returns an explicit error when the relevant authority callback is nil, preventing the panic and allowing the SSH server to reject the certificate cleanly.

Root Cause

The root cause is missing nil-guard logic around the IsUserAuthority and IsHostAuthority callback invocations in CertChecker. The API contract did not enforce that these fields be set, and the implementation assumed non-nil function values. The flaw maps to [CWE-295] Improper Certificate Validation because the certificate authority trust decision is not safely handled when configuration is incomplete.

Attack Vector

An attacker initiates an SSH connection to a vulnerable server and submits an SSH certificate as part of the public key authentication exchange. No credentials, prior access, or user interaction are required. The server panics during certificate processing, terminating the goroutine handling the connection and, depending on how the host application is structured, potentially the entire SSH process. Repeated connections can be used to sustain the denial of service.

No verified public exploit code is currently available. Refer to the Go.dev Code Review and Go.dev Issue Tracker for technical details on the affected code path.

Detection Methods for CVE-2026-39835

Indicators of Compromise

  • Unexpected SSH server process restarts or goroutine panics referencing golang.org/x/crypto/ssh and CertChecker in stack traces
  • Repeated short-lived SSH connections from a single source followed by server crash logs
  • Panic messages containing runtime error: invalid memory address or nil pointer dereference originating from the SSH certificate validation path

Detection Strategies

  • Inventory Go applications that import golang.org/x/crypto/ssh and identify those using CertChecker without configuring both authority callbacks
  • Review SSH server source for ssh.CertChecker{} constructions that omit IsUserAuthority or IsHostAuthority assignments
  • Use Go vulnerability scanning with govulncheck to flag binaries referencing GO-2026-5015

Monitoring Recommendations

  • Alert on SSH daemon crash loops and abnormal restart counts in process supervisors or container orchestrators
  • Forward Go runtime panic logs to a centralized logging system and trigger detections on crypto/ssh stack frames
  • Track inbound SSH connection rates per source IP to identify clients triggering repeated certificate-based failures

How to Mitigate CVE-2026-39835

Immediate Actions Required

  • Upgrade golang.org/x/crypto to the patched version referenced in the Go.dev Vulnerability Report and rebuild affected binaries
  • Audit all SSH server code paths that construct CertChecker and ensure both IsUserAuthority and IsHostAuthority are assigned to concrete functions
  • Restrict network exposure of affected SSH services to trusted networks until patching is complete

Patch Information

The Go security team published the fix in the upstream golang.org/x/crypto module. The change replaces the nil dereference with an error return. See the Go.dev Code Review, the Go.dev Issue Tracker, and the Google Groups Announcement for release details. Update dependencies with go get golang.org/x/crypto@latest and verify with govulncheck ./....

Workarounds

  • Set both IsUserAuthority and IsHostAuthority on every CertChecker instance, returning false when a particular certificate role is not supported
  • Place affected SSH services behind a network-level filter or bastion host that rejects untrusted clients until the dependency is updated
  • Configure process supervisors to automatically restart the SSH daemon to limit the duration of any successful denial-of-service attempt
bash
# Configuration example
go get golang.org/x/crypto@latest
go mod tidy
govulncheck ./...

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.