CVE-2026-39834

Vulnerability

In the golang.org/x/crypto SSH package, the Write method on an SSH channel uses an int for internal payload size calculations. When a single Write call attempts to write more than 4 GB of data, an integer overflow truncates the size, causing the write loop to continue indefinitely sending empty packets without making progress [1][3]. This affects all versions of the package before the fix.

Exploitation

An attacker who can write to an SSH channel (e.g., an authenticated SSH client or server sending large data) can trigger the infinite loop by initiating a single Write call with data exceeding 4 GB. No special privileges beyond the ability to write to the channel are required [3].

Impact

The attack results in a denial of service: the affected process spins indefinitely, consuming CPU resources and blocking the goroutine from making progress. Data is not lost or corrupted, but the SSH channel becomes unresponsive [3].

Mitigation

The fix replaces the int size comparison with int64 to prevent truncation [1][3]. The specific patched version is not explicitly listed in the provided references; users should update to the latest release of golang.org/x/crypto as per the Go security advisory. No workaround is described, and the CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].