CVE-2026-39827
Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
6.5
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.
How to fix CVE-2026-39827
To remediate CVE-2026-39827, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 0.52.0 or later
Is CVE-2026-39827 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 0.52.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |