Home

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

PUBLISHED Reserved 2026-04-07 | Published 2026-05-22 | Updated 2026-05-22 | Assigner Go

Problem types

CWE-833: Deadlock

Product status

Default status
unaffected

Any version before 0.52.0
affected

Credits

NCC Group Cryptography Services, sponsored by Teleport

References

go.dev/issue/79564

groups.google.com/g/golang-announce/c/a082jnz-LvI

go.dev/cl/781640

go.dev/cl/781664

pkg.go.dev/vuln/GO-2026-5017

cve.org (CVE-2026-39830)

nvd.nist.gov (CVE-2026-39830)

Download JSON