CVE-2026-39834

CRITICAL 9.1

Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

5th

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Vendor	golang.org/x/crypto
Product	golang.org/x/crypto/ssh
Published	May 22, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for golang.org/x/crypto golang.org/x/crypto/ssh

Be the first to know when new critical vulnerabilities affecting golang.org/x/crypto golang.org/x/crypto/ssh are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

golang.org/x/crypto / golang.org/x/crypto/ssh

0 < 0.52.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

go.dev: https://go.dev/issue/79567 groups.google.com: https://groups.google.com/g/golang-announce/c/a082jnz-LvI go.dev: https://go.dev/cl/781663 pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-5020

Credits

NCC Group Cryptography Services, sponsored by Teleport