CVE-2026-39830
published 2026-05-22CVE-2026-39830: A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine…
PriorityP352critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
0.50%
39.0th percentile
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Affected
207 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| advanced-cluster-security | rhacs-rhel8-operator | — | — |
| advanced-cluster-security | rhacs-roxctl-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-v4-rhel8 | — | — |
| assisted | agent-preinstall-image-builder-rhel9 | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-acmesolver-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-security-profiles-operator-bundle | — | — |
| compliance | openshift-security-profiles-rhel8-operator | — | — |
| confidential-containers | trustee | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-native-virtualization | virt-artifacts-server-rhel9 | — | — |
| container-native-virtualization | virt-controller-rhel9 | — | — |
| container-native-virtualization | virt-exportproxy-rhel9 | — | — |
| container-native-virtualization | virt-exportserver-rhel9 | — | — |
| container-native-virtualization | virt-handler-rhel9 | — | — |
| container-native-virtualization | virt-launcher-rhel9 | — | — |
| container-native-virtualization | virt-operator-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | podman | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| devspaces | traefik-rhel9 | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vendor_redhat9.1CRITICAL
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses
ghsa·2026-06-25
CVE-2026-39830 [CRITICAL] CWE-119 golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses
golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
VulDB
x-crypto up to 0.51.x on Go SSH Peer Close deadlock (EUVD-2026-31397 / WID-SEC-2026-1653)
vuldb·2026-05-23
CVE-2026-39830 [LOW] x-crypto up to 0.51.x on Go SSH Peer Close deadlock (EUVD-2026-31397 / WID-SEC-2026-1653)
A vulnerability was found in x-crypto up to 0.51.x on Go. It has been classified as problematic. This affects the function Close of the component SSH Peer Handler. This manipulation causes deadlock.
This vulnerability is registered as CVE-2026-39830. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
Ubuntu
Google Guest Agent vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 9.1
CVE-2026-39831 [CRITICAL] Google Guest Agent vulnerabilities
Title: Google Guest Agent vulnerabilities
Summary: Several security issues were fixed in Google Guest Agent.
USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides
the corresponding updates for Go Cryptography code embedded in Google
Guest Agent.
Original advisory details:
It was discovered that Go Cryptography did not properly handle SSH global
request responses. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2026-39830)
It was discovered that Go Cryptography did not properly verify user
presence when using FIDO/U2F security keys. An attacker could possibly use
this issue to bypass user presence verification for hardware security keys.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04
LTS, and Ubuntu 26.04
Ubuntu
LXD vulnerabilities
vendor_ubuntu·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] LXD vulnerabilities
Title: LXD vulnerabilities
Summary: Several security issues were fixed in LXD.
USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides
the corresponding updates for Go Cryptography code embedded in LXD for
CVE-2026-39830, CVE-2026-39833, CVE-2026-39834, and CVE-2026-42508.
Original advisory details:
It was discovered that Go Cryptography did not properly handle SSH global
request responses. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2026-39830)
It was discovered that Go Cryptography did not properly verify user
presence when using FIDO/U2F security keys. An attacker could possibly use
this issue to bypass user presence verification for hardware security keys.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 2
Red Hat
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
vendor_redhat·2026-05-22·CVSS 9.1
CVE-2026-39830 [CRITICAL] CWE-772 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection's read loop. This prevents the associated resources from being released, leading to a resource leak per connection. The consequence is a Denial of Service (DoS) for the affected system.
Stateme
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-39830 buildah: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 buildah: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 buildah: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 headscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 headscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 headscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 openbao: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 openbao: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 openbao: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not use the server side functions of golang.org/x/crypto/ssh so this vulnerability is not applicable.
Bugzilla
CVE-2026-39830 apptainer: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 apptainer: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 apptainer: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Apptainer does not use golang.org/x/crypto/ssh so this vulnerability is not applicable.
Bugzilla
CVE-2026-39830 docker-compose: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 docker-compose: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 docker-compose: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 chezmoi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 chezmoi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 chezmoi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 cri-o1.35: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 cri-o1.35: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 cri-o1.35: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 opkssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 opkssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 opkssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 matterbridge: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 matterbridge: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 matterbridge: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 inspektor-gadget: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 inspektor-gadget: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 inspektor-gadget: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 transifex-client: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 transifex-client: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 transifex-client: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 pack: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 pack: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 pack: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 kubernetes1.31: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 kubernetes1.31: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 kubernetes1.31: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 cri-o1.30: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 cri-o1.30: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 cri-o1.30: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 forgejo-runner: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 hcloud: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 hcloud: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 hcloud: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 containers-common: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 containers-common: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 containers-common: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
no src or bin shipped. only config files.
Bugzilla
CVE-2026-39830 matterbridge: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 matterbridge: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 matterbridge: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 forgejo: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 forgejo: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 forgejo: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 golang-github-francoispqt-gojay: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 gvisor-tap-vsock: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 gvisor-tap-vsock: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 gvisor-tap-vsock: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 cri-o: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 cri-o: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 cri-o: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 opkssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 opkssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 opkssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 golang-x-crypto: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 cheat: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 cheat: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 cheat: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 podman: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 podman: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 podman: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
fedora rawhide should be unaffected as it already has version number higher than required for the fix. Created an upstream PR for v5.8 https://github.com/podman-container-tools/podman/pull/28971
Bugzilla
CVE-2026-39830 cri-o1.34: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 cri-o1.34: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 cri-o1.34: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 golang-github-theoapp-theo-agent: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 clash-meta: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 clash-meta: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 clash-meta: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 clash-meta: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 clash-meta: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 clash-meta: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 incus: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 incus: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 incus: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 gopass-hibp: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 gopass-hibp: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 gopass-hibp: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 docker-buildx: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 docker-buildx: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 docker-buildx: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 age: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 age: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 age: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 google-guest-agent: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 google-guest-agent: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 google-guest-agent: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 trivy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 trivy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 trivy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 trivy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 trivy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 trivy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 golang-github-facebookincubator-go2chef: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 nebula: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 nebula: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 nebula: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 kubernetes1.36: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 kubernetes1.36: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 kubernetes1.36: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 DankMaterialShell: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 DankMaterialShell: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 DankMaterialShell: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 gopass: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 gopass: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 gopass: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 kubernetes1.32: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 kubernetes1.32: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 kubernetes1.32: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 cri-o1.31: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 cri-o1.31: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 cri-o1.31: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 chezmoi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 chezmoi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 chezmoi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 nng: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 nng: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 nng: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 openbao: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 openbao: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 openbao: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not use the server side functions of golang.org/x/crypto/ssh so this vulnerability is not applicable.
Bugzilla
CVE-2026-39830 golang-github-acme-lego: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-github-acme-lego: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 golang-github-acme-lego: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 pack: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 pack: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 pack: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 complyctl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 complyctl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 complyctl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 vhs: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 vhs: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 vhs: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 docker-buildkit: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 docker-buildkit: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 docker-buildkit: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 nuclei: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 nuclei: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 nuclei: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 doctl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 doctl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 doctl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 age: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 age: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 age: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 golang-github-cloudflare-redoctober: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 apptainer: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 apptainer: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 apptainer: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Apptainer does not use golang.org/x/crypto/ssh so this vulnerability is not applicable.
Bugzilla
CVE-2026-39830 rootlesskit: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 rootlesskit: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 rootlesskit: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 k9s: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 k9s: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 k9s: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 opentofu: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 opentofu: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 opentofu: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 singularity-ce: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 trayscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 trayscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 trayscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 cri-o1.33: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 cri-o1.33: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 cri-o1.33: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 golang-github-cloudflare-cfssl: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 moby-engine: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 moby-engine: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 moby-engine: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 tailscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 tailscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 tailscale: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 ollama: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 ollama: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 ollama: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 gopass-jsonapi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 gopass-jsonapi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 gopass-jsonapi: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 kubernetes1.34: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 kubernetes1.34: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 kubernetes1.34: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 cri-o1.32: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 cri-o1.32: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 cri-o1.32: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 nuclei: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 nuclei: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 nuclei: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 kubernetes1.30: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 kubernetes1.30: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 kubernetes1.30: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 vagrant: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 vagrant: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 vagrant: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Vagrant does not ship any Golang bits
Bugzilla
CVE-2026-39830 forgejo: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 forgejo: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 forgejo: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 kubernetes1.35: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 kubernetes1.35: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 kubernetes1.35: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 gh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 gh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 gh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 gh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 gh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 gh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 restic: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 restic: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
CVE-2026-39830 restic: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 kubernetes1.33: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 kubernetes1.33: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 kubernetes1.33: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 restic: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 restic: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 restic: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang-github-git-5: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
bugzilla·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang-github-git-5: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
CVE-2026-39830 golang-github-git-5: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
bugzilla·2026-05-22·CVSS 9.1
CVE-2026-39830 [CRITICAL] CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
https://go.dev/cl/781640https://go.dev/cl/781664https://go.dev/issue/79564https://groups.google.com/g/golang-announce/c/a082jnz-LvIhttps://pkg.go.dev/vuln/GO-2026-5017https://access.redhat.com/errata/RHSA-2026:29455https://access.redhat.com/security/cve/CVE-2026-39830https://bugzilla.redhat.com/show_bug.cgi?id=2480684https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39830.json
2026-05-22
Published