golang.org/x/crypto/ssh/agent (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package golang.org/x/crypto/ssh/agent, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2026-39833 — CVSS 9.1 (critical): The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key…
CVE-2025-47913 — CVSS 7.5 (high): SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
CVE-2026-46598 — CVSS 5.3 (medium): For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.