CVE-2026-39833CRITICAL 9.1EPSS p21.4%

CVE-2026-39833CVE-2026-39833

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.30% probability of exploitation · percentile 21.4% · 2026-06-19T12:03:05Z
Published2026-05-22
Last modified2026-05-22

References

  1. https://go.dev/cl/778640
  2. https://go.dev/cl/778641
  3. https://go.dev/issue/79436
  4. https://groups.google.com/g/golang-announce/c/a082jnz-LvI
  5. https://pkg.go.dev/vuln/GO-2026-5005

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39832
CVE
CVE-2026-39831
CVE
CVE-2026-39829
CVE
CVE-2026-42508
CVE
CVE-2026-25277
CVE
CVE-2025-3757
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.