CVE-2026-46597 golang.org/x/crypto CVE debrief

Who should care

Operators and developers of Go services that decode AES-GCM packets from untrusted clients should care most. Any server path that can be reached with crafted network input is the immediate risk area because the failure mode is a panic.

Technical summary

The issue is described as an incorrectly placed cast from bytes to int in the AES-GCM packet decoder. With specially crafted input, that decoding path can panic on the server side. The corpus does not provide affected versions, exploit prerequisites beyond crafted input, or a CVSS score, so conclusions should stay limited to the documented crash/denial-of-service behavior.

Defensive priority

High for exposed services that process untrusted AES-GCM packets, because a panic can take down a process or worker and create an availability incident. Priority should be lower only if the code path is unreachable or already patched.

Recommended defensive actions

• Review whether your Go services use the AES-GCM packet decoder path referenced by the advisory.
• Apply the upstream Go fix or advisory guidance once you confirm the affected release set.
• Restart or recycle any crashed services and monitor for repeated panic patterns after exposure to untrusted traffic.
• Add tests for malformed or boundary-case packet inputs to ensure the decoder fails safely.
• Track the official Go advisory GO-2026-5013 and linked issue/CL for remediation specifics.

Evidence notes

Source corpus evidence is limited to the NVD record, which lists the vulnerability as received and links to official Go references: a code review change, an issue tracker entry, a golang-announce post, and the Go vulnerability entry GO-2026-5013. The description states that an incorrectly placed byte-to-int cast in the AES-GCM packet decoder can trigger a server-side panic for well-crafted inputs. No CVSS score, affected CPEs, or version range were provided in the supplied material.

Official resources