Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-06-08 14:53

Modified

2026-06-02 10:29

Summary

Security fixes for CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-45570, CVE-2026-45571, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598, ghsa-3xc5-wrhm-f963, ghsa-crhj-59gh-8x96, ghsa-m7cr-m3pv-hgrp, ghsa-w5pp-99ch-qj29 applied in versions: 1.2.13-r0, 1.2.2-r0

Details

Multiple security vulnerabilities affect the apko package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2026-25680	WEB
	https://osv.dev/vulnerability/CVE-2026-25681	WEB
	https://osv.dev/vulnerability/CVE-2026-27136	WEB
	https://osv.dev/vulnerability/CVE-2026-39821	WEB
	https://osv.dev/vulnerability/CVE-2026-39827	WEB
	https://osv.dev/vulnerability/CVE-2026-39828	WEB
	https://osv.dev/vulnerability/CVE-2026-39829	WEB
	https://osv.dev/vulnerability/CVE-2026-39830	WEB
	https://osv.dev/vulnerability/CVE-2026-39831	WEB
	https://osv.dev/vulnerability/CVE-2026-39832	WEB
	https://osv.dev/vulnerability/CVE-2026-39833	WEB
	https://osv.dev/vulnerability/CVE-2026-39834	WEB
	https://osv.dev/vulnerability/CVE-2026-39835	WEB
	https://osv.dev/vulnerability/CVE-2026-42502	WEB
	https://osv.dev/vulnerability/CVE-2026-42506	WEB
	https://osv.dev/vulnerability/CVE-2026-42508	WEB
	https://osv.dev/vulnerability/CVE-2026-45570	WEB
	https://osv.dev/vulnerability/CVE-2026-45571	WEB
	https://osv.dev/vulnerability/CVE-2026-46595	WEB
	https://osv.dev/vulnerability/CVE-2026-46597	WEB
	https://osv.dev/vulnerability/CVE-2026-46598	WEB
	https://osv.dev/vulnerability/ghsa-3xc5-wrhm-f963	WEB
	https://osv.dev/vulnerability/ghsa-crhj-59gh-8x96	WEB
	https://osv.dev/vulnerability/ghsa-m7cr-m3pv-hgrp	WEB
	https://osv.dev/vulnerability/ghsa-w5pp-99ch-qj29	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25680	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25681	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27136	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39821	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39827	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39828	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39829	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39830	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39831	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39832	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39833	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39834	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39835	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42502	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42506	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42508	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-45570	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-45571	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46595	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46597	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46598	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "apko"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.2-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the apko package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-VD09973",
  "modified": "2026-06-02T10:29:51Z",
  "published": "2026-06-08T14:53:11.644656Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-VD09973.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25680"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25681"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27136"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39821"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39827"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39828"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39829"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39830"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39831"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39832"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39833"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39834"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39835"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42502"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42506"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42508"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-45570"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-45571"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46595"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46597"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46598"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3xc5-wrhm-f963"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-crhj-59gh-8x96"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-m7cr-m3pv-hgrp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w5pp-99ch-qj29"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25680"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25681"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27136"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39827"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39829"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39830"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39831"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39832"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39833"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39834"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39835"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42502"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42506"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42508"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45570"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45571"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46595"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46597"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46598"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-45570, CVE-2026-45571, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598, ghsa-3xc5-wrhm-f963, ghsa-crhj-59gh-8x96, ghsa-m7cr-m3pv-hgrp, ghsa-w5pp-99ch-qj29 applied in versions: 1.2.13-r0, 1.2.2-r0",
  "upstream": [
    "CVE-2026-25680",
    "CVE-2026-25681",
    "CVE-2026-27136",
    "CVE-2026-39821",
    "CVE-2026-39827",
    "CVE-2026-39828",
    "CVE-2026-39829",
    "CVE-2026-39830",
    "CVE-2026-39831",
    "CVE-2026-39832",
    "CVE-2026-39833",
    "CVE-2026-39834",
    "CVE-2026-39835",
    "CVE-2026-42502",
    "CVE-2026-42506",
    "CVE-2026-42508",
    "CVE-2026-45570",
    "CVE-2026-45571",
    "CVE-2026-46595",
    "CVE-2026-46597",
    "CVE-2026-46598",
    "ghsa-3xc5-wrhm-f963",
    "ghsa-crhj-59gh-8x96",
    "ghsa-m7cr-m3pv-hgrp",
    "ghsa-w5pp-99ch-qj29"
  ]
}

CVE-2026-25680 (GCVE-0-2026-25680)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:00

Title

Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

Summary

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/781702
https://go.dev/issue/79573
https://groups.google.com/g/golang-announce/c/iI-…
https://pkg.go.dev/vuln/GO-2026-5028

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

IPC Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25680",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:00:30.926552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:00:35.395Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "IPC Labs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.805Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/781702"
        },
        {
          "url": "https://go.dev/issue/79573"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5028"
        }
      ],
      "title": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25680",
    "datePublished": "2026-05-22T15:01:21.805Z",
    "dateReserved": "2026-02-05T01:35:43.737Z",
    "dateUpdated": "2026-05-22T17:00:35.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25681 (GCVE-0-2026-25681)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:46

Title

Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

Summary

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79574
https://groups.google.com/g/golang-announce/c/iI-…
https://go.dev/cl/781703
https://pkg.go.dev/vuln/GO-2026-5029

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

ensy

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25681",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:46:00.775026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:46:20.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ensy"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.975Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79574"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://go.dev/cl/781703"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5029"
        }
      ],
      "title": "Invoking  incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25681",
    "datePublished": "2026-05-22T15:01:21.975Z",
    "dateReserved": "2026-02-05T01:35:43.738Z",
    "dateUpdated": "2026-05-22T17:46:20.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27136 (GCVE-0-2026-27136)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 16:59

Title

Invoking duplicate attributes can cause XSS in golang.org/x/net/html

Summary

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79575
https://groups.google.com/g/golang-announce/c/iI-…
https://go.dev/cl/781685
https://pkg.go.dev/vuln/GO-2026-5030

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

ensy

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27136",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T16:59:35.355098Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T16:59:52.807Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ensy"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:22.111Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79575"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://go.dev/cl/781685"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5030"
        }
      ],
      "title": "Invoking  duplicate attributes can cause XSS in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27136",
    "datePublished": "2026-05-22T15:01:22.111Z",
    "dateReserved": "2026-02-17T19:57:28.434Z",
    "dateUpdated": "2026-05-22T16:59:52.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39821 (GCVE-0-2026-39821)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-27 13:13

Title

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Summary

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Severity

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-1289 - Improper Validation of Unsafe Equivalence in Input

Assigner

References

4 references

URL	Tags
https://go.dev/cl/767220
https://go.dev/issue/78760
https://groups.google.com/g/golang-announce/c/iI-…
https://pkg.go.dev/vuln/GO-2026-5026

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/idna	Affected: 0 , < 0.55.0 (semver)

Credits

KC1zs4 (https://github.com/KC1zs4)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39821",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-23T03:55:58.522682Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1289",
                "description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T13:13:15.606Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/idna",
          "product": "golang.org/x/net/idna",
          "programRoutines": [
            {
              "name": "Profile.process"
            },
            {
              "name": "Profile.ToASCII"
            },
            {
              "name": "Profile.ToUnicode"
            },
            {
              "name": "ToASCII"
            },
            {
              "name": "ToUnicode"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "KC1zs4 (https://github.com/KC1zs4)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(\"xn--example-.com\") incorrectly returns the name \"example.com\" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject \"example.com\" but permit \"xn--example-.com\". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name \"example.com\"."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.462Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/767220"
        },
        {
          "url": "https://go.dev/issue/78760"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5026"
        }
      ],
      "title": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39821",
    "datePublished": "2026-05-22T15:01:21.462Z",
    "dateReserved": "2026-04-07T18:13:03.526Z",
    "dateUpdated": "2026-05-27T13:13:15.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39827 (GCVE-0-2026-39827)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:35

Title

Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

Summary

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

References

4 references

URL	Tags
https://go.dev/issue/35127
https://go.dev/cl/781320
https://groups.google.com/g/golang-announce/c/a08…
https://pkg.go.dev/vuln/GO-2026-5016

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

Ziyan Zhou

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39827",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:35:34.770589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:35:40.472Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "channel.Reject"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ziyan Zhou"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection\u0027s internal state and released for garbage collection."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.064Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/35127"
        },
        {
          "url": "https://go.dev/cl/781320"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5016"
        }
      ],
      "title": "Invoking  memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39827",
    "datePublished": "2026-05-22T02:31:27.064Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:35:40.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39828 (GCVE-0-2026-39828)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 17:44

Title

Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

Summary

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Severity

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-863 - Incorrect Authorization

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79562
https://groups.google.com/g/golang-announce/c/a08…
https://go.dev/cl/781621
https://pkg.go.dev/vuln/GO-2026-5014

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39828",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:43:55.428395Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:44:19.986Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "connection.serverAuthenticate"
            },
            {
              "name": "NewServerConn"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:26.883Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79562"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://go.dev/cl/781621"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5014"
        }
      ],
      "title": "Invoking  bypass of certificate restrictions in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39828",
    "datePublished": "2026-05-22T02:31:26.883Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T17:44:19.986Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39829 (GCVE-0-2026-39829)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:53

Title

Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

Summary

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1176 - Inefficient CPU Computation

Assigner

References

5 references

URL	Tags
https://go.dev/issue/79565
https://groups.google.com/g/golang-announce/c/a08…
https://go.dev/cl/781641
https://go.dev/cl/781661
https://pkg.go.dev/vuln/GO-2026-5018

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39829",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:52:38.155082Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:53:33.377Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "parseRSA"
            },
            {
              "name": "checkDSAParams"
            },
            {
              "name": "parseDSA"
            },
            {
              "name": "Dial"
            },
            {
              "name": "NewClientConn"
            },
            {
              "name": "NewServerConn"
            },
            {
              "name": "NewSignerFromKey"
            },
            {
              "name": "ParseAuthorizedKey"
            },
            {
              "name": "ParseKnownHosts"
            },
            {
              "name": "ParsePrivateKey"
            },
            {
              "name": "ParsePrivateKeyWithPassphrase"
            },
            {
              "name": "ParsePublicKey"
            },
            {
              "name": "ParseRawPrivateKey"
            },
            {
              "name": "ParseRawPrivateKeyWithPassphrase"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1176: Inefficient CPU Computation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.324Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79565"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://go.dev/cl/781641"
        },
        {
          "url": "https://go.dev/cl/781661"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5018"
        }
      ],
      "title": "Invoking  pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39829",
    "datePublished": "2026-05-22T02:31:27.324Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:53:33.377Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39830 (GCVE-0-2026-39830)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:54

Title

Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

Summary

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-833 - Deadlock

Assigner

References

5 references

URL	Tags
https://go.dev/issue/79564
https://groups.google.com/g/golang-announce/c/a08…
https://go.dev/cl/781640
https://go.dev/cl/781664
https://pkg.go.dev/vuln/GO-2026-5017

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39830",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:54:26.306252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:54:54.686Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "mux.SendRequest"
            },
            {
              "name": "mux.handleGlobalPacket"
            },
            {
              "name": "channel.handlePacket"
            },
            {
              "name": "channel.SendRequest"
            },
            {
              "name": "Client.Listen"
            },
            {
              "name": "Client.ListenTCP"
            },
            {
              "name": "Client.ListenUnix"
            },
            {
              "name": "Dial"
            },
            {
              "name": "NewClientConn"
            },
            {
              "name": "NewServerConn"
            },
            {
              "name": "Session.CombinedOutput"
            },
            {
              "name": "Session.Output"
            },
            {
              "name": "Session.RequestPty"
            },
            {
              "name": "Session.RequestSubsystem"
            },
            {
              "name": "Session.Run"
            },
            {
              "name": "Session.SendRequest"
            },
            {
              "name": "Session.Setenv"
            },
            {
              "name": "Session.Shell"
            },
            {
              "name": "Session.Signal"
            },
            {
              "name": "Session.Start"
            },
            {
              "name": "Session.WindowChange"
            },
            {
              "name": "tcpListener.Close"
            },
            {
              "name": "unixListener.Close"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection\u0027s read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-833: Deadlock",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.208Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79564"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://go.dev/cl/781640"
        },
        {
          "url": "https://go.dev/cl/781664"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5017"
        }
      ],
      "title": "Invoking  client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39830",
    "datePublished": "2026-05-22T02:31:27.208Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:54:54.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39831 (GCVE-0-2026-39831)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 18:52

Title

Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

Summary

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79566
https://groups.google.com/g/golang-announce/c/a08…
https://go.dev/cl/781662
https://pkg.go.dev/vuln/GO-2026-5019

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39831",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:51:41.233749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:52:08.344Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "CertChecker.CheckCert"
            },
            {
              "name": "skECDSAPublicKey.Verify"
            },
            {
              "name": "skEd25519PublicKey.Verify"
            },
            {
              "name": "connection.serverAuthenticate"
            },
            {
              "name": "CertChecker.Authenticate"
            },
            {
              "name": "CertChecker.CheckHostKey"
            },
            {
              "name": "Certificate.Verify"
            },
            {
              "name": "Dial"
            },
            {
              "name": "NewClientConn"
            },
            {
              "name": "NewServerConn"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a \"no-touch-required\" extension in Permissions.Extensions from PublicKeyCallback."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:27.436Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79566"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://go.dev/cl/781662"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5019"
        }
      ],
      "title": "Invoking  bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39831",
    "datePublished": "2026-05-22T02:31:27.436Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-22T18:52:08.344Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39832 (GCVE-0-2026-39832)

Vulnerability from cvelistv5 – Published: 2026-05-22 02:31 – Updated: 2026-05-22 19:03

Title

Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

Summary

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-281 - Improper Preservation of Permissions

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79435
https://go.dev/cl/778642
https://groups.google.com/g/golang-announce/c/a08…
https://pkg.go.dev/vuln/GO-2026-5006

Impacted products

1 product

Vendor	Product	Version
golang.org/x/crypto	golang.org/x/crypto/ssh/agent	Affected: 0 , < 0.52.0 (semver)

Credits

NCC Group Cryptography Services, sponsored by Teleport

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39832",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:59:53.174504Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T19:03:06.882Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh/agent",
          "product": "golang.org/x/crypto/ssh/agent",
          "programRoutines": [
            {
              "name": "client.Add"
            },
            {
              "name": "keyring.Add"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-281: Improper Preservation of Permissions",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:26.660Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79435"
        },
        {
          "url": "https://go.dev/cl/778642"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5006"
        }
      ],
      "title": "Invoking  agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39832",
    "datePublished": "2026-05-22T02:31:26.660Z",
    "dateReserved": "2026-04-07T18:13:03.529Z",
    "dateUpdated": "2026-05-22T19:03:06.882Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2026-25680 (GCVE-0-2026-25680)

CVE-2026-25681 (GCVE-0-2026-25681)

CVE-2026-27136 (GCVE-0-2026-27136)

CVE-2026-39821 (GCVE-0-2026-39821)

CVE-2026-39827 (GCVE-0-2026-39827)

CVE-2026-39828 (GCVE-0-2026-39828)

CVE-2026-39829 (GCVE-0-2026-39829)

CVE-2026-39830 (GCVE-0-2026-39830)

CVE-2026-39831 (GCVE-0-2026-39831)

CVE-2026-39832 (GCVE-0-2026-39832)

Tags

Sightings

Nomenclature