CVE-2026-39829

Vulnerability

In the golang.org/x/crypto SSH package, versions before v0.36.0, the RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large RSA modulus or oversized DSA parameters can cause signature verification to consume CPU for several minutes. Affected packages are those using the golang.org/x/crypto/ssh module prior to the fix. The patch limits RSA moduli to 8192 bits and validates DSA parameters per FIPS 186-2 [1], [2], [3].

Exploitation

An unauthenticated client can trigger the vulnerability by presenting a maliciously crafted public key during SSH public key authentication. The attacker only needs network connectivity to an SSH server or client that performs signature verification using the vulnerable parsers. No additional authentication or user interaction is required [1], [3].

Impact

Successful exploitation causes a denial-of-service (DoS) condition: the target system spends several minutes of CPU time verifying the crafted key, potentially exhausting CPU resources for other tasks. The vulnerability does not lead to code execution, privilege escalation, or information disclosure; the impact is limited to CPU exhaustion [1], [2].

Mitigation

The fix is included in golang.org/x/crypto version v0.36.0 and later. Users should update to this version or newer. No workaround is available; systems running vulnerable versions should apply the update as soon as possible. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog [2], [3].