CVE-2026-39829
published 2026-05-22CVE-2026-39829: The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.39%
30.8th percentile
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Affected
198 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| advanced-cluster-security | rhacs-rhel8-operator | — | — |
| advanced-cluster-security | rhacs-roxctl-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-v4-rhel8 | — | — |
| assisted | agent-preinstall-image-builder-rhel9 | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-acmesolver-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-security-profiles-operator-bundle | — | — |
| compliance | openshift-security-profiles-rhel8-operator | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-native-virtualization | virt-artifacts-server-rhel9 | — | — |
| container-native-virtualization | virt-controller-rhel9 | — | — |
| container-native-virtualization | virt-exportproxy-rhel9 | — | — |
| container-native-virtualization | virt-exportserver-rhel9 | — | — |
| container-native-virtualization | virt-handler-rhel9 | — | — |
| container-native-virtualization | virt-launcher-rhel9 | — | — |
| container-native-virtualization | virt-operator-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | podman | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| devspaces | traefik-rhel9 | — | — |
| devworkspace | devworkspace-project-clone-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
vendor_redhat·2026-05-22·CVSS 7.5
CVE-2026-39829 [HIGH] CWE-1284 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or
GHSA
golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS
ghsa·2026-06-25
CVE-2026-39829 [HIGH] CWE-347 golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS
golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
VulDB
x-crypto up to 0.51.x RSA/DSA inefficient cpu computation (EUVD-2026-31396)
vuldb·2026-05-22
CVE-2026-39829 [LOW] x-crypto up to 0.51.x RSA/DSA inefficient cpu computation (EUVD-2026-31396)
A vulnerability was found in x-crypto up to 0.51.x and classified as problematic. Affected by this issue is some unknown functionality of the component RSA/DSA. The manipulation results in inefficient cpu computation.
This vulnerability is cataloged as CVE-2026-39829. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-39829 docker-buildkit: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 docker-buildkit: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 docker-buildkit: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 restic: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 restic: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 restic: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 nng: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 nng: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 nng: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 kubernetes1.36: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 kubernetes1.36: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 kubernetes1.36: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 cri-o: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 cri-o: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 cri-o: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 cri-o1.31: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 cri-o1.31: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 cri-o1.31: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 kubernetes1.34: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 kubernetes1.34: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 kubernetes1.34: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 docker-buildx: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 docker-buildx: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 docker-buildx: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 cri-o1.32: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 cri-o1.32: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 cri-o1.32: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 incus: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 incus: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 incus: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 inspektor-gadget: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 inspektor-gadget: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 inspektor-gadget: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 gopass: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 gopass: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 gopass: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 podman: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 podman: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 podman: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 doctl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 doctl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 doctl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 kubernetes1.30: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 kubernetes1.30: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 kubernetes1.30: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 age: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 age: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 age: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 opkssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 opkssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 opkssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 trivy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 trivy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 trivy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 transifex-client: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 transifex-client: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 transifex-client: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 vhs: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 vhs: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 vhs: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 DankMaterialShell: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 DankMaterialShell: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 DankMaterialShell: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang-github-acme-lego: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-github-acme-lego: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 golang-github-acme-lego: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 age: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 age: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 age: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 gh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 gh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 gh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 forgejo: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 forgejo: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 forgejo: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 gvisor-tap-vsock: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 gvisor-tap-vsock: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 gvisor-tap-vsock: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 kubernetes1.33: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 kubernetes1.33: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 kubernetes1.33: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 headscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 headscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 headscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 docker-compose: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 docker-compose: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 docker-compose: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 openbao: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 openbao: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 openbao: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not use the server side functions of golang.org/x/crypto/ssh so this vulnerability is not applicable.
Bugzilla
CVE-2026-39829 nebula: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 nebula: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 nebula: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 kubernetes1.31: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 kubernetes1.31: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 kubernetes1.31: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 nuclei: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 nuclei: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 nuclei: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 ollama: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 ollama: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 ollama: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 chezmoi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 chezmoi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 chezmoi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 pack: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 pack: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 pack: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 buildah: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 buildah: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 buildah: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 hcloud: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 hcloud: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 hcloud: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 containers-common: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 containers-common: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 containers-common: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 kubernetes1.32: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 kubernetes1.32: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 kubernetes1.32: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 cri-o1.33: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 cri-o1.33: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 cri-o1.33: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 forgejo: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 forgejo: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 forgejo: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
I just recently fixed this in rawhide with caddy-2.11.4-1.fc45. All other fedora branches are affected.
Bugzilla
CVE-2026-39829 apptainer: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 apptainer: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 apptainer: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Apptainer does not use golang.org/x/crypto/ssh so this vulnerability is not applicable.
Bugzilla
CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 opentofu: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 opentofu: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 opentofu: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 kubernetes1.35: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 kubernetes1.35: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 kubernetes1.35: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 cri-o1.35: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 cri-o1.35: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 cri-o1.35: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 opkssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 opkssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 opkssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 openbao: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 openbao: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 openbao: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not use the server side functions of golang.org/x/crypto/ssh so this vulnerability is not applicable.
Bugzilla
CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 chezmoi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 chezmoi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 chezmoi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 trivy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 trivy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 trivy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 nuclei: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 nuclei: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 nuclei: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 trayscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 trayscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 trayscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 pack: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 pack: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 pack: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 apptainer: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 apptainer: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 apptainer: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Apptainer does not use golang.org/x/crypto/ssh so this vulnerability is not applicable.
Bugzilla
CVE-2026-39829 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 google-guest-agent: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 google-guest-agent: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 google-guest-agent: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 moby-engine: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 moby-engine: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 moby-engine: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 gopass-jsonapi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 gopass-jsonapi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 gopass-jsonapi: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 cri-o1.30: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 cri-o1.30: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 cri-o1.30: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 k9s: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 k9s: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 k9s: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 rootlesskit: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 rootlesskit: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 rootlesskit: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 restic: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 restic: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 restic: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 clash-meta: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 clash-meta: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 clash-meta: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 vagrant: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 vagrant: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 vagrant: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 cheat: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 cheat: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 cheat: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 clash-meta: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 clash-meta: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 clash-meta: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 matterbridge: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 matterbridge: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 matterbridge: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 tailscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 tailscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 tailscale: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang-github-git-5: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang-github-git-5: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 golang-github-git-5: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 gh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 gh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 gh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 matterbridge: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 matterbridge: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
CVE-2026-39829 matterbridge: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 cri-o1.34: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 cri-o1.34: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 cri-o1.34: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 complyctl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 complyctl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 complyctl: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 gopass-hibp: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
bugzilla·2026-06-17·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 gopass-hibp: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
CVE-2026-39829 gopass-hibp: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
bugzilla·2026-05-22·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
https://go.dev/cl/781641https://go.dev/cl/781661https://go.dev/issue/79565https://groups.google.com/g/golang-announce/c/a082jnz-LvIhttps://pkg.go.dev/vuln/GO-2026-5018https://access.redhat.com/errata/RHSA-2026:29455https://access.redhat.com/security/cve/CVE-2026-39829https://bugzilla.redhat.com/show_bug.cgi?id=2480681https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39829.json
2026-05-22
Published