GO-2026-5016

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-5016

Import Source

https://vuln.go.dev/ID/GO-2026-5016.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-5016

Aliases

CVE-2026-39827

Published

2026-05-22T02:08:34Z

Modified

2026-05-22T02:30:20.558544639Z

Summary

Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

Details

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2026-5016",
    "review_status": "REVIEWED"
}

References

Credits

- Ziyan Zhou

Affected packages

Go / golang.org/x/crypto

Package

Name: golang.org/x/crypto; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/crypto

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.52.0

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "channel.Reject"
            ],
            "path": "golang.org/x/crypto/ssh"
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-5016.json"