What is CVE-2026-39827?

CVE-2026-39827 is a medium-severity vulnerability in Golang Crypto, classified under Improper Enforcement of Message Integrity During Transmission in a Communication Channel. CVSS score: 6.5/10. Published 2026-05-22.

How severe is CVE-2026-39827?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Vulnerability in Golang Crypto

CVE-2026-39827

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly remo…

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Affected products

Golang Crypto
Golang.org/x/crypto Golang.org/x/crypto/ssh — versions 0

Weakness classification (CWE)

CWE-924 — Improper Enforcement of Message Integrity During Transmission in a Communication Channel

References

security@golang.org (Issue Tracking)
security@golang.org (Issue Tracking)
security@golang.org (Mailing List)
security@golang.org (Vendor Advisory)

Frequently asked questions

What is CVE-2026-39827?: CVE-2026-39827 is a medium-severity vulnerability in Golang Crypto, classified under Improper Enforcement of Message Integrity During Transmission in a Communication Channel. CVSS score: 6.5/10. Published 2026-05-22.
How severe is CVE-2026-39827?: Medium severity. CVSS v3 base score is 6.5 out of 10.