CVE-2026-39834
published 2026-05-22CVE-2026-39834: When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop…
PriorityP352critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.47%
36.9th percentile
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| golang.org | x_crypto_golang.org_x_crypto_ssh | < 0.52.0 | 0.52.0 |
| golang.org | x_crypto_ssh | >= 0 < 0.52.0 | 0.52.0 |
| golang | crypto | < 0.52.0 | 0.52.0 |
| ubuntu | google-guest-agent | — | — |
| ubuntu | lxd | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Google Guest Agent vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 9.1
CVE-2026-39831 [CRITICAL] Google Guest Agent vulnerabilities
Title: Google Guest Agent vulnerabilities
Summary: Several security issues were fixed in Google Guest Agent.
USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides
the corresponding updates for Go Cryptography code embedded in Google
Guest Agent.
Original advisory details:
It was discovered that Go Cryptography did not properly handle SSH global
request responses. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2026-39830)
It was discovered that Go Cryptography did not properly verify user
presence when using FIDO/U2F security keys. An attacker could possibly use
this issue to bypass user presence verification for hardware security keys.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04
LTS, and Ubuntu 26.04
Ubuntu
LXD vulnerabilities
vendor_ubuntu·2026-06-18·CVSS 9.1
CVE-2026-39830 [CRITICAL] LXD vulnerabilities
Title: LXD vulnerabilities
Summary: Several security issues were fixed in LXD.
USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides
the corresponding updates for Go Cryptography code embedded in LXD for
CVE-2026-39830, CVE-2026-39833, CVE-2026-39834, and CVE-2026-42508.
Original advisory details:
It was discovered that Go Cryptography did not properly handle SSH global
request responses. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2026-39830)
It was discovered that Go Cryptography did not properly verify user
presence when using FIDO/U2F security keys. An attacker could possibly use
this issue to bypass user presence verification for hardware security keys.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 2
GHSA
golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes
ghsa·2026-06-25
CVE-2026-39834 [CRITICAL] CWE-190 golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes
golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
VulDB
x-crypto up to 0.51.x integer overflow (EUVD-2026-31400)
vuldb·2026-05-23
CVE-2026-39834 [LOW] x-crypto up to 0.51.x integer overflow (EUVD-2026-31400)
A vulnerability labeled as problematic has been found in x-crypto up to 0.51.x. The impacted element is an unknown function. The manipulation results in integer overflow.
This vulnerability is known as CVE-2026-39834. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published