PatchSiren cyber security CVE debrief
CVE-2026-39831 golang.org/x/crypto CVE debrief
CVE-2026-39831 is a user-presence enforcement flaw in Go’s FIDO/U2F security key verification path. According to the CVE description, the Verify() method for [email protected] and [email protected] did not check the User Presence flag, so signatures generated without physical touch could still be accepted. The Go security advisory references a fix that restores the previous behavior by returning a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback. For organizations that rely on hardware-key touch as an authorization control, this is an integrity and assurance issue rather than a traditional code-execution bug.
- Vendor
- golang.org/x/crypto
- Product
- golang.org/x/crypto/ssh
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-22
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-22
Who should care
Teams using Go-based SSH authentication or other workflows that rely on FIDO/U2F security keys, especially identity, platform, and infrastructure administrators who expect physical touch to be required for every authentication event.
Technical summary
The issue is limited to security key verification for the FIDO/U2F public-key types [email protected] and [email protected]. The Verify() method failed to validate the User Presence flag, which means the software could accept a valid signature even when the key had not been physically touched. The advisory text indicates the intended mitigation is to preserve legacy behavior explicitly through a "no-touch-required" extension returned from PublicKeyCallback, implying that the fix changes how user-presence expectations are communicated and enforced.
Defensive priority
High for environments that treat hardware-key touch as a mandatory control. If unattended acceptance of signatures is unacceptable in your authentication policy, this should be prioritized promptly.
Recommended defensive actions
- Review whether your Go-based authentication flow uses FIDO/U2F security key types for SSH or related public-key authentication.
- Apply the Go security fix or upgrade to a release that includes the correction referenced in the official Go announcement.
- Check whether your deployment intentionally depends on non-touch authentication and, if so, confirm that the "no-touch-required" extension is explicitly and correctly set.
- Reassess access controls and compensating controls for any systems where physical touch is expected to enforce step-up or human-present authentication.
- Use the linked Go advisory, issue, and change list to confirm impacted components and remediation guidance for your environment.
Evidence notes
Evidence is limited to the supplied CVE description and the official Go/NVD references. The CVE text explicitly states that Verify() did not check the User Presence flag and that signatures without physical touch were accepted. The Go-linked references include a change list, issue, announcement, and Go vulnerability entry, supporting that the affected logic and fix are in the Go ecosystem. No CVSS score, KEV entry, exploit details, or affected version range was provided in the source corpus, so those are intentionally not asserted here.
Official resources
Publicly disclosed on 2026-05-22 per the supplied CVE and source timestamps. No KEV listing was provided in the source corpus.