golang.org/x/crypto/ssh (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package golang.org/x/crypto/ssh, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (9)
CVE-2026-46595 — CVSS 10.0 (critical): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed…
CVE-2026-39834 — CVSS 9.1 (critical): When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation…
CVE-2026-39830 — CVSS 9.1 (critical): A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The…
CVE-2026-46597 — CVSS 7.5 (high): An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
CVE-2026-39829 — CVSS 7.5 (high): The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or…
CVE-2026-39827 — CVSS 6.5 (medium): An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually…
CVE-2026-39828 — CVSS 6.3 (medium): When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently…
CVE-2026-39835 — CVSS 5.3 (medium): SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a…