CVE-2026-39834

CRITICAL9.1EPSS 0.05%

Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh

Published: 5/22/2026Modified: 5/29/2026

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected packages (2)

Debian/golang-go.cryptofrom 0
Go/golang.org/x/cryptofrom 0, < 0.52.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (4)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-39834
PATCHhttps://go.dev/cl/781663
REPORThttps://go.dev/issue/79567
WEBhttps://groups.google.com/g/golang-announce/c/a082jnz-LvI