Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
CVE-2026-39834: Go SSH Channel Write Can Hang with Large Data
GO-2026-5020
CVE-2026-39834
Summary
The Go SSH library can hang if you write large amounts of data at once. This happens because of a math error when checking the data size. To fix this, the library now uses a larger number type to avoid this issue.
What to do
- Update x golang.org/x/crypto to version 0.52.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Go | x | golang.org/x/crypto |
< 0.52.0 Fix: upgrade to 0.52.0
|
| – | golang | crypto |
< 0.52.0 cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:* |
Original title
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty pa...
Original description
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
Vulnerability type
CWE-190
Integer Overflow
Published: 22 May 2026 · Updated: 30 May 2026 · First seen: 22 May 2026