{"vulnerability": "cve-2026-39835", "sightings": [{"uuid": "718aa917-072e-44f4-b948-7bc47bb32e46", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39835", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmgc7xj2rw2e", "content": "CVE-2026-39835 - Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh\nCVE ID : CVE-2026-39835\n \n Published : May 22, 2026, 4:16 a.m. | 1\u00a0hour, 34\u00a0minutes ago\n \n Description : SSH servers which use CertChecker as a public key callback without settin...", "creation_timestamp": "2026-05-22T06:21:59.794399Z"}, {"uuid": "b67caec6-d38e-4e6b-b620-3958829e7dfb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39835", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mnafjazque2y", "content": "\ud83d\udd17 CVE : CVE-2026-25680, CVE-2026-25681, CVE-2026-39827, CVE-2026-39828, CVE-2026-39835, CVE-2026-41401, CVE-2026-42502, CVE-2026-46598, CVE-2026-8466, CVE-2026-25680, CVE-2026-25681, CVE-2026-39827, CVE-2026-39828, CVE-2026-39835, CVE-2026-41401, CVE-2026-42502, CVE-2026-46598, CVE-2026-8466", "creation_timestamp": "2026-06-01T15:38:41.030805Z"}, {"uuid": "85af0409-df69-4632-b849-9b4d40b8d297", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39835", "type": "seen", "source": "https://gist.github.com/alon710/c4000d6cf995053d5e37ba048c93349d", "content": "# CVE-2026-39835: CVE-2026-39835: Remote Denial of Service via Null Pointer Dereference in Go SSH CertChecker\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-25\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39835\n\n## Summary\nA Denial of Service (DoS) vulnerability exists in the Go SSH implementation package (golang.org/x/crypto/ssh). The vulnerability is caused by a null pointer dereference (runtime panic) when CertChecker is utilized as a public key callback but its validation fields, IsUserAuthority or IsHostAuthority, are uninitialized.\n\n## TL;DR\nAn unauthenticated remote attacker can crash Go SSH servers using CertChecker by presenting certificates during the handshake, exploiting uninitialized function pointers.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-476\n- **Attack Vector**: Network\n- **CVSS Severity**: 5.3 (Medium)\n- **Exploit Status**: Proof of Concept\n- **Affected Package**: golang.org/x/crypto/ssh\n- **Fixed Version**: v0.52.0\n\n## Affected Systems\n\n- Docker / Moby\n- HashiCorp Vault\n- Prometheus\n- Gitea\n- containerd\n- Podman\n- Trivy\n- Amazon CloudWatch Agent\n- AWS Systems Manager Agent (SSM)\n- SOPS\n- Atlantis\n- Cloudflared\n- Splunk OpenTelemetry Collector\n- **golang.org/x/crypto**: < 0.52.0 (Fixed in: `0.52.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/crypto to v0.52.0 or higher.\n- Audit CertChecker instantiations to ensure all authority callbacks are non-nil.\n- Implement fallback validation functions that explicitly deny requests instead of leaving them uninitialized.\n\n**Remediation Steps:**\n1. Verify local Go installation and project dependencies.\n2. Run 'go get golang.org/x/crypto@v0.52.0' to update the module.\n3. Run 'go mod tidy' to synchronize dependencies.\n4. Recompile and redeploy the affected services.\n5. Verify vulnerability remediation using 'govulncheck'.\n\n## References\n\n- [Go Issue 79563](https://go.dev/issue/79563)\n- [Go Announce Mailing List](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)\n- [Go VulnDB Entry GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39835) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T08:42:13.243537Z"}]}