CVE-2026-39830
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
9.1
CRITICAL
CVSS 3.1
EPSS 0.05%
Description
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
How to fix CVE-2026-39830
To remediate CVE-2026-39830, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 0.52.0 or later
Is CVE-2026-39830 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 0.52.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |