CVE-2026-39831
published 2026-05-22CVE-2026-39831: The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag…
PriorityP352critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.37%
29.2th percentile
The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| golang.org | x_crypto_golang.org_x_crypto_ssh | < 0.52.0 | 0.52.0 |
| golang.org | x_crypto_ssh | >= 0 < 0.52.0 | 0.52.0 |
| golang | crypto | < 0.52.0 | 0.52.0 |
| ubuntu | google-guest-agent | — | — |
| ubuntu | lxd | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed
ghsa·2026-06-25
CVE-2026-39831 [CRITICAL] CWE-862 golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed
golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed
The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.
VulDB
x-crypto up to 0.51.x FIDO/U2F Verify authentication spoofing (EUVD-2026-31395 / WID-SEC-2026-1653)
vuldb·2026-05-23
CVE-2026-39831 [CRITICAL] x-crypto up to 0.51.x FIDO/U2F Verify authentication spoofing (EUVD-2026-31395 / WID-SEC-2026-1653)
A vulnerability, which was classified as critical, has been found in x-crypto up to 0.51.x. This impacts the function Verify of the component FIDO/U2F. Performing a manipulation results in authentication bypass by spoofing.
This vulnerability is identified as CVE-2026-39831. The attack may be carried out on the physical device. There is not any exploit available.
It is advisable to upgrade the affected component.
Ubuntu
Google Guest Agent vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 9.1
CVE-2026-39831 [CRITICAL] Google Guest Agent vulnerabilities
Title: Google Guest Agent vulnerabilities
Summary: Several security issues were fixed in Google Guest Agent.
USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides
the corresponding updates for Go Cryptography code embedded in Google
Guest Agent.
Original advisory details:
It was discovered that Go Cryptography did not properly handle SSH global
request responses. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2026-39830)
It was discovered that Go Cryptography did not properly verify user
presence when using FIDO/U2F security keys. An attacker could possibly use
this issue to bypass user presence verification for hardware security keys.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04
LTS, and Ubuntu 26.04
Ubuntu
LXD vulnerabilities
vendor_ubuntu·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] LXD vulnerabilities
Title: LXD vulnerabilities
Summary: Several security issues were fixed in LXD.
USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides
the corresponding updates for Go Cryptography code embedded in LXD for
CVE-2026-39830, CVE-2026-39833, CVE-2026-39834, and CVE-2026-42508.
Original advisory details:
It was discovered that Go Cryptography did not properly handle SSH global
request responses. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2026-39830)
It was discovered that Go Cryptography did not properly verify user
presence when using FIDO/U2F security keys. An attacker could possibly use
this issue to bypass user presence verification for hardware security keys.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 2
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published