What is CVE-2026-39830?

CVE-2026-39830 is a critical-severity vulnerability in Golang Crypto, classified under Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSS score: 9.1/10. Published 2026-05-22.

How severe is CVE-2026-39830?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Buffer overflow in Golang Crypto

CVE-2026-39830

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connecti…

Vulnerability class: Buffer Overflow

EPSS: 0.001 (17.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H.

Affected products

Golang Crypto
Golang.org/x/crypto Golang.org/x/crypto/ssh — versions 0

Weakness classification (CWE)

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer

References

security@golang.org (Issue Tracking)
security@golang.org (Mailing List)
security@golang.org (Issue Tracking)
security@golang.org (Issue Tracking)
security@golang.org (Vendor Advisory)

Frequently asked questions

What is CVE-2026-39830?: CVE-2026-39830 is a critical-severity vulnerability in Golang Crypto, classified under Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSS score: 9.1/10. Published 2026-05-22.
How severe is CVE-2026-39830?: Critical severity. CVSS v3 base score is 9.1 out of 10.