CVE-2020-29652
Description
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SSH servers using golang.org/x/crypto/ssh can be remotely crashed via a nil pointer dereference when a client sends a gssapi-with-mic request without the server's GSSAPIWithMICConfig set.
Root
Cause The vulnerability is a nil pointer dereference in the golang.org/x/crypto/ssh package (versions before v0.0.0-20201216223049-8b5274cf687f). When an SSH server is configured without setting the GSSAPIWithMICConfig field in ServerConfig, a client can send an authentication request for the "gssapi-with-mic" method, causing NewServerConn to panic due to a nil pointer dereference [3][4].
Exploitation
A remote, unauthenticated attacker can exploit this by initiating an SSH connection to the affected server and sending a crafted authentication request for the "gssapi-with-mic" method, even if the server does not advertise support for GSSAPI. No prior authentication is required, and the attacker only needs network access to the SSH server [2][4].
Impact
Successful exploitation results in a denial of service (DoS) condition, crashing the SSH server process. This can disrupt legitimate SSH access and potentially affect other services relying on the same process. The vulnerability does not lead to remote code execution or data disclosure [1][2].
Mitigation
The fix is included in golang.org/x/crypto version v0.0.0-20201216223049-8b5274cf687f and later, committed to the repository in commit 8b5274cf687fd9316b4108863654cc57385531e8 [3]. Users should update their dependency to this version or later. The vulnerability was discovered and reported by Joern Schneeweisz of the GitLab Security Research Team [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/cryptoGo | < 0.0.0-20201216223049-8b5274cf687f | 0.0.0-20201216223049-8b5274cf687f |
Affected products
19- osv-coords19 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:golang/golang.org/x/cryptopkg:rpm/almalinux/cockpit-podmanpkg:rpm/almalinux/conmonpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/critpkg:rpm/almalinux/criupkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/libslirppkg:rpm/almalinux/libslirp-develpkg:rpm/almalinux/python3-criupkg:rpm/almalinux/slirp4netnspkg:rpm/almalinux/udicapkg:rpm/opensuse/velero&distro=openSUSE%20Tumbleweed
< 5.6.0-r11+ 18 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.0.0-20201216223049-8b5274cf687f
- (no CPE)range: < 29-2.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 2:2.0.26-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 0.9.1-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 3.15-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 3.15-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 1.4.0-2.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 4.3.1-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 4.3.1-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 3.15-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 1.1.8-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 0.2.4-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 1.7.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-3vm4-22fp-5rfmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-29652ghsaADVISORY
- go-review.googlesource.com/c/crypto/+/278852ghsax_refsource_MISCWEB
- go.dev/cl/278852ghsaWEB
- go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8ghsaWEB
- groups.google.com/g/golang-announce/c/ouZIlBimOsEghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- pkg.go.dev/vuln/GO-2021-0227ghsaWEB
News mentions
0No linked articles in our index yet.