CVE-2026-39827 | THREATINT

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

PUBLISHED Reserved 2026-04-07 | Published 2026-05-22 | Updated 2026-05-22 | Assigner Go

Problem types

CWE-401: Missing Release of Memory after Effective Lifetime

Product status

Default status

unaffected

Any version before 0.52.0

affected

Credits

Ziyan Zhou

References

go.dev/issue/35127

go.dev/cl/781320

groups.google.com/g/golang-announce/c/a082jnz-LvI

pkg.go.dev/vuln/GO-2026-5016

cve.org (CVE-2026-39827)

nvd.nist.gov (CVE-2026-39827)

Download JSON