Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
FIDO/U2F Security Keys Have Verification Bypass
UBUNTU-CVE-2026-39831
Summary
FIDO/U2F security keys used in some applications may be vulnerable to verification bypass attacks. This means an attacker could potentially access the key without needing to know the correct PIN or other authentication information. To mitigate this risk, it's recommended to update to the latest version of the affected software or application.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Ubuntu:Pro:16.04:LTS | canonical | golang-go.crypto | All versions |
| Ubuntu:Pro:16.04:LTS | canonical | lxd | All versions |
| Ubuntu:Pro:16.04:LTS | canonical | snapd | All versions |
| Ubuntu:Pro:16.04:LTS | canonical | google-guest-agent | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | lxd | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | snapd | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | golang-go.crypto | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | google-guest-agent | All versions |
| Ubuntu:Pro:20.04:LTS | canonical | google-guest-agent | All versions |
| Ubuntu:Pro:20.04:LTS | canonical | snapd | All versions |
| Ubuntu:Pro:20.04:LTS | canonical | golang-go.crypto | All versions |
| Ubuntu:22.04:LTS | canonical | google-guest-agent | All versions |
| Ubuntu:22.04:LTS | canonical | snapd | All versions |
| Ubuntu:Pro:22.04:LTS | canonical | golang-go.crypto | All versions |
| Ubuntu:24.04:LTS | canonical | google-guest-agent | All versions |
| Ubuntu:24.04:LTS | canonical | snapd | All versions |
| Ubuntu:Pro:24.04:LTS | canonical | golang-go.crypto | All versions |
| Ubuntu:25.10 | canonical | golang-go.crypto | All versions |
| Ubuntu:25.10 | canonical | google-guest-agent | All versions |
| Ubuntu:25.10 | canonical | snapd | All versions |
| Ubuntu:26.04:LTS | canonical | golang-go.crypto | All versions |
| Ubuntu:26.04:LTS | canonical | google-guest-agent | All versions |
| Ubuntu:26.04:LTS | canonical | snapd | All versions |
Original title
(The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nis ...)
Original description
(The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nis ...)
- https://ubuntu.com/security/CVE-2026-39831 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-39831 Third Party Advisory
- https://go.dev/issue/79566 Third Party Advisory
- https://groups.google.com/g/golang-announce/c/a082jnz-LvI Third Party Advisory
- https://go.dev/cl/781662 Third Party Advisory
- https://pkg.go.dev/vuln/GO-2026-5019 Third Party Advisory
Published: 22 May 2026 · Updated: 25 May 2026 · First seen: 22 May 2026