These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-46598 is a Go security issue where certain crafted inputs could cause an ed25519.PrivateKey to be created by casting malformed wire bytes. When that malformed key is later used, it can panic. The practical security impact is service instability and potential denial of service in software that accepts or processes untrusted Ed25519 private key material.
CVE-2026-46597 is a Go security issue involving the AES-GCM packet decoder. A misplaced cast from bytes to int can cause a server-side panic when processing well-crafted inputs, which makes the main defensive concern denial of service rather than data exposure based on the available corpus. The public record and Go security references point to an official fix track, but the supplied source set does not in [truncated]
Published on 2026-05-22, CVE-2026-46595 describes an authorization-bypass issue in Go SSH server handling. The record says that when a callback other than public key authentication is used, source-address validation may be skipped. The description also frames this as a follow-on to CVE-2024-45337, indicating the earlier fix did not fully cover all callback paths.
CVE-2026-42508 describes a certificate-validation defect in Go’s security tooling where a revoked CA "SignatureKey" was not correctly checked for revocation. According to the supplied description, the fix now validates both the certificate key and its associated SignatureKey against @revoked. In practical terms, this is the kind of issue that can weaken trust decisions if a revoked CA key is still accepte [truncated]
CVE-2026-39835 describes a denial-of-service risk in SSH servers that use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority. In that configuration, a client presenting a certificate could trigger a panic. The upstream fix changes CertChecker to return an error instead of panicking when those callbacks are nil.
CVE-2026-39834 describes an integer overflow in Go SSH channel payload size handling. When a single Write call exceeds 4GB, the internal size calculation can truncate, causing the write loop to spin indefinitely and send empty packets without making progress. The published Go references indicate the fix changes the size comparison to int64 to avoid truncation.
CVE-2026-39833 describes a security constraint enforcement flaw in Go's in-memory keyring. A key created through NewKeyring() could accept the ConfirmBeforeUse constraint yet still sign without any confirmation prompt, and callers were not told the constraint was ineffective. The fix changes NewKeyring() to return an error when unsupported constraints are requested.
CVE-2026-39831 is a user-presence enforcement flaw in Go’s FIDO/U2F security key verification path. According to the CVE description, the Verify() method for [email protected] and [email protected] did not check the User Presence flag, so signatures generated without physical touch could still be accepted. The Go security advisory references a fix that restores the previous behav [truncated]
CVE-2026-39830 describes a denial-of-service condition in Go-related SSH handling: a malicious SSH peer can send unsolicited global request responses that fill an internal buffer, block the connection’s read loop, and leave a goroutine/resource stuck even after Close() is called. The reported fix discards unsolicited global responses so they no longer accumulate or hold the connection open.
CVE-2026-39829 describes a denial-of-service issue in Go's RSA and DSA public key parsing and verification path. The parsers did not enforce size limits on key parameters, so an attacker could supply a crafted public key with an excessively large RSA modulus or DSA parameter and force several minutes of CPU consumption during signature verification. The issue could be triggered by unauthenticated clients [truncated]
CVE-2026-39828 is a Go SSH server authentication handling flaw that could silently discard permissions when an auth callback returned PartialSuccessError with non-nil Permissions. In a multi-step login flow, if a second factor later succeeded, certificate-based restrictions such as force-command could be lost, weakening the intended access control policy.
CVE-2026-39827 describes an availability issue in Go-related SSH handling where an authenticated SSH client can repeatedly open channels that the server rejects, causing unbounded memory growth until the server process crashes. The issue is fixed by ensuring rejected channels are removed from internal connection state and released for garbage collection. Because the impact can take down a shared server pr [truncated]