PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39830 golang.org/x/crypto CVE debrief

CVE-2026-39830 describes a denial-of-service condition in Go-related SSH handling: a malicious SSH peer can send unsolicited global request responses that fill an internal buffer, block the connection’s read loop, and leave a goroutine/resource stuck even after Close() is called. The reported fix discards unsolicited global responses so they no longer accumulate or hold the connection open.

Vendor
golang.org/x/crypto
Product
golang.org/x/crypto/ssh
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-22
Advisory published
2026-05-22
Advisory updated
2026-05-22

Who should care

Teams running Go applications that rely on the affected SSH implementation or libraries referenced by the Go security advisories should review their exposure, especially services that maintain long-lived SSH connections or accept connections from untrusted peers.

Technical summary

According to the CVE description and the linked Go security references, an attacker-controlled SSH peer could send unexpected global request responses without a corresponding request. Those responses could accumulate in an internal buffer until the read loop became blocked. Because the blocked goroutine could not be released by calling Close(), each affected connection could retain resources and contribute to exhaustion over time. The stated remediation is to discard unsolicited global responses.

Defensive priority

Medium

Recommended defensive actions

  • Identify Go deployments that use SSH functionality referenced by the Go security announcement and confirm whether patched releases are in use.
  • Review long-lived or high-concurrency SSH connections for elevated resource consumption, stalled read loops, or lingering goroutines.
  • Update to a version that includes the fix that discards unsolicited global request responses.
  • If immediate patching is not possible, reduce exposure by limiting untrusted SSH peers and monitoring connection counts and goroutine growth.
  • Correlate any unusual SSH connection persistence or memory growth with the publication date of the advisory for triage context.

Evidence notes

The vulnerability description and timing come from the supplied CVE record dated 2026-05-22 and the linked NVD entry. The corpus also includes Go security references to code changes, an issue tracker entry, a Go announcement, and a Go package vulnerability record, which collectively support that the issue is in Go-related SSH handling. The vendor/product attribution remains low confidence in the supplied data, so this debrief avoids naming a specific package beyond the Go references present in the corpus.

Official resources

Publicly disclosed on 2026-05-22, matching the supplied CVE published date and the associated Go security references.