All vulnerabilities
CVE-2026-39834
golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes
Description
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading
Score
9.1
Severity
Critical
Ecosystem
GO
Publish Date
June 25, 2026
Modified Date
June 25, 2026
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected Versions
