CVE-2026-39829
Last modified
CVE-2026-39829 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. EPSS estimates a 0.30% chance of exploitation in the next 30 days.
Description
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Crypto | < 0.52.0 |
References
- https://go.dev/cl/781641Issue Tracking
- https://go.dev/cl/781661Issue Tracking
- https://go.dev/issue/79565Issue Tracking
- https://pkg.go.dev/vuln/GO-2026-5018Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-39829?
How severe is CVE-2026-39829?
How do I fix CVE-2026-39829?
Are you affected by CVE-2026-39829?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST