CVE-2026-39835

Vulnerability

In the golang.org/x/crypto SSH package, CertChecker is used as a public key callback for authenticating certificates. If the server uses CertChecker but does not set the IsUserAuthority or IsHostAuthority callbacks, a client presenting a crafted certificate can trigger a nil pointer dereference, causing the server to panic. This affects all versions of golang.org/x/crypto before the fix released in response to CVE-2026-39835 (Go issue 79563) [1][3].

Exploitation

An attacker only needs network access to the SSH server and the ability to present a certificate during authentication. No prior authentication or special privilege is required. The attacker sends a specially crafted certificate to the server; because the IsUserAuthority/IsHostAuthority callbacks are nil, CertChecker dereferences them, causing a panic that terminates the server process [1][3].

Impact

Successful exploitation results in a denial of service (DoS) via server crash. The panic causes the SSH server to terminate, disrupting all active connections and preventing new ones. There is no information disclosure or code execution; the impact is solely availability [1].

Mitigation

The fix is in golang.org/x/crypto version [0.35.0] or later, where CertChecker now returns an error when these callbacks are nil instead of panicking. Users should update their dependency to the patched version. There is no workaround other than ensuring both IsUserAuthority and IsHostAuthority callbacks are set. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][3].