PatchSiren cyber security CVE debrief
CVE-2019-11840 Debian CVE debrief
CVE-2019-11840 affects the amd64 implementation of golang.org/x/crypto's salsa20 code. After very large keystream generation, the implementation can begin producing incorrect output and then cycle back to previously generated keystream, which can undermine confidentiality in encryption use cases and predictability in CSPRNG use cases. The issue was publicly disclosed in 2019 and is fixed in the upstream crypto repository commit referenced by the official records.
- Vendor
- Debian
- Product
- Unknown
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2019-05-09
- Original CVE updated
- 2026-05-18
- Advisory published
- 2019-05-09
- Advisory updated
- 2026-05-18
Who should care
Teams that use golang.org/x/crypto salsa20 on amd64, especially if the code may generate very large amounts of keystream or relies on long-running cryptographic streams. Debian users should also review vendor advisories for affected releases listed in NVD.
Technical summary
NVD describes a flaw in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa before v0.0.0-20190320223903-b7391e95e576. If more than 256 GiB of keystream is generated, or if the counter grows beyond 32 bits, the implementation first produces incorrect output and then reuses earlier keystream. The documented impact is repeated keystream bytes, which can reduce confidentiality in encryption applications or predictability in CSPRNG applications. NVD maps the weakness to CWE-330 and rates the issue CVSS 3.1 5.9 (Medium).
Defensive priority
Medium. The flaw is not listed in the supplied data as actively exploited or in CISA KEV, but it can affect confidentiality where large keystream volumes are possible. Priority should rise for systems using long-lived or high-volume salsa20-based encryption paths.
Recommended defensive actions
- Confirm whether your applications depend on golang.org/x/crypto salsa20 or salsa on amd64.
- Upgrade to a version at or after the fixed upstream reference identified in the record (v0.0.0-20190320223903-b7391e95e576 or newer).
- Review any long-running encryption or CSPRNG uses that might approach very large keystream generation.
- Check distro/vendor advisories for packaged copies, including the Debian LTS announcements referenced by NVD.
- If replacement is not immediate, limit reliance on affected implementations for high-volume stream generation and prioritize patching.
Evidence notes
The core vulnerability statement comes from the NVD record and the CVE description, which note incorrect output and keystream cycling in the amd64 implementation after more than 256 GiB of output or a counter beyond 32 bits. Supporting references include the upstream Go issue, the upstream patch commit, and Debian LTS advisories. The supplied data does not indicate CISA KEV inclusion or ransomware linkage.
Official resources
-
CVE-2019-11840 CVE record
CVE.org
-
CVE-2019-11840 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
-
Source reference
[email protected] - Permissions Required
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Publicly disclosed on 2019-05-09 in the NVD record. The supplied data shows later upstream and Debian advisory references, but no CISA KEV listing.