CVE-2026-39835 golang.org/x/crypto CVE debrief

Who should care

Operators and developers who run or maintain Go-based SSH servers, especially code that uses CertChecker for authentication or authority checks. Security teams should also care because the issue can turn an authentication edge case into an availability impact.

Technical summary

According to the source description, SSH servers using CertChecker as a public key callback are vulnerable when neither IsUserAuthority nor IsHostAuthority is set. If a client presents a certificate, the server could panic. The upstream change referenced by the Go security materials makes CertChecker fail closed by returning an error in that case rather than crashing.

Defensive priority

Medium. This is primarily an availability issue, but it can crash exposed SSH services and should be remediated promptly on any server that accepts certificate-based authentication paths.

Recommended defensive actions

• Review any Go SSH server code that uses CertChecker as a public key callback.
• Confirm that IsUserAuthority or IsHostAuthority is set where CertChecker is used, as appropriate for the server's authentication model.
• Update to a Go release that includes the upstream fix referenced in the Go security advisory.
• Test certificate-authentication paths after updating to confirm the server returns an error rather than panicking.
• Monitor SSH service logs and crash reports for authentication-related panics until remediation is complete.

Evidence notes

The CVE was published on 2026-05-22. The NVD source item marks the vulnerability status as Received and links to Go-maintained references: a code change, an issue, an announcement, and a Go vulnerability entry. The supplied description states that CertChecker could panic when used without IsUserAuthority or IsHostAuthority and that the fix changes it to return an error. No CVSS vector or score was supplied in the source corpus.

Official resources