CVE-2026-39831 — Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/c

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

How to fix CVE-2026-39831

To remediate CVE-2026-39831, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 0.52.0 or later

Is CVE-2026-39831 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 0.52.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-39831
PATCHgo.dev/cl/781662
REPORTgo.dev/issue/79566
WEBgroups.google.com/g/golang-announce/c/a082jnz-LvI