CVE-2026-39830

Vulnerability

In the SSH implementation of the golang.org/x/crypto package, unsolicited global request responses from a peer are not discarded. Instead, they fill an internal buffer, blocking the connection's read loop. The blocked goroutine cannot be released by calling Close(), resulting in a resource leak per connection. This affects all versions of golang.org/x/crypto prior to the fix [2][3].

Exploitation

An attacker with network access to an SSH peer (either client or server) can send unsolicited global request responses during an established SSH connection. No authentication is required beyond establishing the SSH transport. By sending a sufficient number of such responses, the attacker fills the internal buffer, causing the read loop to block indefinitely. The connection then cannot be closed properly, leaving a goroutine and associated resources leaked [3].

Impact

Successful exploitation leads to a resource leak per connection. An attacker can repeatedly open connections and send unsolicited responses to exhaust server or client resources (goroutines, memory), resulting in a denial of service. The vulnerability does not allow code execution or information disclosure [2][3].

Mitigation

The fix discards unsolicited global request responses. The issue is resolved in the latest release of golang.org/x/crypto. Users should update to the version containing the fix (e.g., after commit ...). No workaround is available [2][3].