CVE-2026-42508
Description
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A revoked CA SignatureKey was not checked for revocation in golang.org/x/crypto/ssh/knownhosts, allowing bypass of host key revocation.
Vulnerability
The knownhosts package in golang.org/x/crypto failed to check the SignatureKey of a certificate authority (CA) for revocation when processing @revoked markers in a known_hosts file. Only the key itself was checked, not key.SignatureKey. This affects all versions of golang.org/x/crypto prior to the fix [3].
Exploitation
An attacker in possession of a revoked CA signature key can present a certificate signed by that key during an SSH handshake. The knownhosts revocation check will pass because the SignatureKey is not examined, allowing the attacker to bypass revocation without any special network position beyond being able to initiate the connection [1].
Impact
Successful exploitation allows an attacker to bypass host key revocation, enabling impersonation of a trusted host. This undermines the security of SSH connections that rely on the known_hosts revocation mechanism, potentially leading to man-in-the-middle attacks or unauthorized access [3].
Mitigation
The fix is included in the latest release of golang.org/x/crypto. Users should update to the patched version. The issue is tracked as Go issue #79568 [3]. No workaround is available other than updating the package.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.