CVE-2026-39830CRITICAL 9.1EPSS p22.9%

CVE-2026-39830CVE-2026-39830

golang / crypto

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS0.31% probability of exploitation · percentile 22.9% · 2026-06-18T12:00:27Z
Published2026-05-22
Last modified2026-06-02

References

  1. https://go.dev/cl/781640
  2. https://go.dev/cl/781664
  3. https://go.dev/issue/79564
  4. https://groups.google.com/g/golang-announce/c/a082jnz-LvI
  5. https://pkg.go.dev/vuln/GO-2026-5017

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39834
CVE
CVE-2026-39828
CVE
CVE-2026-39832
CVE
CVE-2026-46595
CVE
CVE-2026-31631
CVE
CVE-2026-33845
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.