All vulnerabilities
CVE-2026-39835
golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
Description
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading
Score
5.3
Severity
Medium
Ecosystem
GO
Publish Date
June 25, 2026
Modified Date
June 25, 2026
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Versions
