CVE-2026-46598

Vulnerability

A vulnerability exists in the golang.org/x/crypto/ssh/agent package where a crafted pathological input can cause ed25519.PrivateKey to be created by directly casting malformed wire bytes. This improper handling of malformed wire data leads to a panic when the resulting key is used. Affected versions include those prior to the fix in the golang.org/x/crypto module, as described in [1] and [3].

Exploitation

An attacker able to supply crafted input to an SSH agent (for example, during key exchange or agent forwarding) can trigger the vulnerable code path. No authentication is required if the attacker controls the communication channel to the agent; the input causes the ssh/agent package to panic, leading to a denial of service for the client process.

Impact

Successful exploitation results in a client panic, which is a denial-of-service condition. The vulnerability does not appear to allow code execution or information disclosure beyond the crash; the primary impact is availability of the client application using the vulnerable ssh/agent package.

Mitigation

The fix is included in the updated golang.org/x/crypto package. Users should upgrade to a version that includes the patch for CVE-2026-46598 [1] [3]. No workaround is available; the only mitigation is to apply the update. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.