CVE-2026-39832
Last modified
CVE-2026-39832 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Crypto | < 0.52.0 |
References
- https://go.dev/cl/778642Issue Tracking
- https://go.dev/issue/79435Issue Tracking
- https://pkg.go.dev/vuln/GO-2026-5006Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-39832?
How severe is CVE-2026-39832?
How do I fix CVE-2026-39832?
Are you affected by CVE-2026-39832?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST