Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52814

CVE-2026-52814: Gogs SSH Server DoS Vulnerability

CVE-2026-52814 is a denial of service vulnerability in Gogs SSH server that allows unauthenticated attackers to exhaust file descriptors. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-52814 Overview

CVE-2026-52814 is a denial of service vulnerability in Gogs, an open source self-hosted Git service. Versions prior to 0.14.3 ship a built-in Go SSH server that accepts inbound TCP connections and hands them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing read or write deadlines on the underlying net.Conn. An unauthenticated remote attacker can open many TCP connections to the SSH port and withhold the SSH protocol banner, forcing the server to spawn goroutines that block indefinitely on socket I/O. The vulnerability is tracked under [CWE-400: Uncontrolled Resource Consumption] and is fixed in Gogs 0.14.3.

Critical Impact

Unauthenticated attackers can exhaust file descriptors on the Gogs host, blocking Git SSH access for legitimate users and destabilizing the entire Gogs process.

Affected Products

  • Gogs self-hosted Git service versions prior to 0.14.3
  • Deployments exposing the built-in Go SSH server to untrusted networks
  • Any platform running the vulnerable Gogs binary (Linux, Windows, macOS, containerized builds)

Discovery Timeline

  • 2026-06-24 - CVE-2026-52814 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-52814

Vulnerability Analysis

The Gogs SSH listener accepts TCP connections and immediately delegates each connection to ssh.NewServerConn within a fresh goroutine. The handshake routine blocks while waiting for the client to send the SSH protocol banner (SSH-2.0-...). Because no SetReadDeadline or SetWriteDeadline is configured on the net.Conn, a misbehaving or malicious client can keep the connection open indefinitely.

The asymmetry between attacker cost and server cost defines the impact. A single attacker can cheaply open thousands of TCP sockets while the server holds an unbounded number of goroutines and file descriptors. Once the operating system process reaches its file descriptor limit, the Gogs process can no longer accept new connections, open log files, or perform routine I/O. Log rotation failures and broader service degradation follow.

Root Cause

The root cause is missing I/O timeout enforcement during the SSH handshake phase. The handler trusts the remote peer to advance the protocol within a reasonable window. Without deadlines, the goroutine waits forever for bytes that never arrive, and the resource is never reclaimed.

Attack Vector

Exploitation requires only network reachability to the Gogs SSH port. No credentials, user interaction, or prior access are needed. An attacker scripts repeated TCP connect() calls and refuses to write any data, holding each connection open until the Gogs process exhausts its file descriptor table.

go
// Patch excerpt from internal/ssh/ssh.go
 	"strconv"
 	"strings"
 	"syscall"
+	"time"
 
 	"github.com/cockroachdb/errors"
 	"github.com/sourcegraph/run"

Source: Gogs commit 7da9cda3. The fix introduces the time package to enforce a 15-second timeout on stalled SSH handshakes, as described in Pull Request #8335.

Detection Methods for CVE-2026-52814

Indicators of Compromise

  • Sustained spikes in concurrent TCP connections to the Gogs SSH port from a small set of source IPs.
  • Steadily increasing open file descriptor count on the Gogs process without a matching increase in completed Git operations.
  • Log rotation failures, too many open files errors, or accept: EMFILE entries in Gogs application logs.
  • Legitimate SSH clients reporting connection refusals or hangs against a previously healthy Gogs instance.

Detection Strategies

  • Monitor the Gogs process file descriptor usage with lsof -p <pid> | wc -l or /proc/<pid>/fd and alert on rapid growth.
  • Inspect TCP socket state distributions for an abnormal volume of ESTABLISHED connections on the SSH port with zero bytes transferred.
  • Correlate goroutine counts from the Gogs runtime metrics endpoint, if enabled, against active authenticated SSH sessions.

Monitoring Recommendations

  • Forward Gogs application logs and host-level socket telemetry to a centralized analytics platform for time-series baselining.
  • Track per-source-IP connection rates to the SSH port and flag IPs that open many sockets without completing a handshake.
  • Add alerts for EMFILE, ENFILE, and log rotation failure events on hosts running Gogs.

How to Mitigate CVE-2026-52814

Immediate Actions Required

  • Upgrade Gogs to version 0.14.3 or later, which enforces a 15-second timeout on SSH handshakes.
  • Restrict inbound access to the Gogs SSH port using firewall rules or a bastion, limiting exposure to trusted networks where feasible.
  • Raise the file descriptor ulimit for the Gogs process as a short-term buffer while patching is scheduled.

Patch Information

The fix is included in Gogs release v0.14.3. The patch, tracked in GHSA-xp79-5mx3-jx52 and merged via Pull Request #8335, applies read and write deadlines to incoming SSH connections so stalled handshakes are reaped after 15 seconds.

Workarounds

  • Place a reverse proxy or TCP-aware load balancer in front of the Gogs SSH listener and configure idle and handshake timeouts upstream.
  • Apply per-source connection rate limits using iptablesconnlimit or equivalent network appliance controls.
  • Disable the built-in SSH server and route Git over SSH through the host's OpenSSH daemon if patching cannot be performed immediately.
bash
# Example iptables rule limiting concurrent SSH connections per source IP
iptables -A INPUT -p tcp --dport 22 -m connlimit \
  --connlimit-above 10 --connlimit-mask 32 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.