CVE-2026-39827

Vulnerability

An authenticated SSH client that repeatedly opens channels which are rejected by the server causes unbounded memory growth in the server process. The server never removes rejected channels from the connection's internal state, so each rejected channel consumes memory that is never freed. Eventually, the server runs out of memory and crashes, affecting all connected users. The vulnerability affects the golang.org/x/crypto package before version v0.52.0 [1][2][3].

Exploitation

An attacker must first authenticate to the SSH server, then repeatedly call channel.Reject() on new channels they open. No special privileges beyond valid SSH credentials are needed; the attacker simply opens a large number of channels and rejects them. No race condition or special timing is required [2][3].

Impact

Successful exploitation causes the SSH server process to exhaust available memory and crash, resulting in a denial of service (DoS) condition that terminates all existing SSH sessions and prevents new connections. The attacker does not gain code execution, privilege escalation, or information disclosure [1][2].

Mitigation

Upgrade to golang.org/x/crypto version v0.52.0 or later, released on 2026-05-22, which properly removes rejected channels from the connection's internal state and releases them for garbage collection [1][2][3]. There is no known workaround for unpatched versions. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.