CVE-2026-39827

6.5 MEDIUM

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually ...

Published: 2026-05-22 · Last updated: 2026-05-26

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-924

Affected products

Vendor	Product
golang	crypto

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-39827
[Other]https://go.dev/cl/781320
[Other]https://go.dev/issue/35127
[Other]https://groups.google.com/g/golang-announce/c/a082jnz-LvI
[Vendor advisory]https://pkg.go.dev/vuln/GO-2026-5016

Related CVEs

Same vendor

CVE-2026-42506 — Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree (6.1 MEDIUM)
CVE-2026-42502 — Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree (6.1 MEDIUM)
CVE-2026-39821 — The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label (9.6 CRITICAL)
CVE-2026-27136 — Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree (6.1 MEDIUM)
CVE-2026-25681 — Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree (6.1 MEDIUM)

Same CWE

CVE-2019-25719 — Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower con... (8.6 HIGH)
CVE-2023-2885 — Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in CBOT Chatbot allows Adversary i... (8.1 HIGH)