CVE-2026-46597
Description
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A misplacement of a byte-to-int cast in the AES-GCM packet decoder of Go's crypto/ssh library causes server panic on crafted inputs.
Vulnerability
An incorrectly placed cast from bytes to int in the AES-GCM packet decoder of Go's crypto/ssh package allows a server-side panic when processing specially crafted inputs. This affects all versions of golang.org/x/crypto prior to the fix for Go issue 79561 [1][3].
Exploitation
An attacker can send a well-crafted AES-GCM packet to an SSH server using the vulnerable decoder. No authentication or prior access is required; the attacker only needs network connectivity to trigger the panic.
Impact
Successful exploitation causes the SSH server process to panic, resulting in a denial of service (DoS). No code execution or information disclosure has been reported.
Mitigation
Fix details are not yet publicly disclosed. Refer to Go issue 79561 [3] and the golang.org/x/crypto vulnerability announcement [1] for updates. No workaround is currently available.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.