Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-42508: Golang SSH Known Hosts Allows Bypassing Authentication

GO-2026-5021 CVE-2026-42508

Summary

A security issue in the Golang SSH known hosts package allows attackers to bypass authentication by exploiting a flaw in how revoked keys are checked. This could allow unauthorized access to systems that use this package. To fix this issue, update to the latest version of the Golang SSH known hosts package.

What to do

Update x golang.org/x/crypto to version 0.52.0.

Affected software

Ecosystem	Vendor	Product	Affected versions
Go	x	golang.org/x/crypto	< 0.52.0 Fix: upgrade to 0.52.0
–	golang	crypto	< 0.52.0 `cpe:2.3:a:golang:crypto::::::go::*`

Original title

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Original description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Vulnerability type

CWE-295 Improper Certificate Validation

https://pkg.go.dev/vuln/GO-2026-5021
https://go.dev/issue/79568 Third Party Advisory
https://go.dev/cl/781220 Patch
https://groups.google.com/g/golang-announce/c/a082jnz-LvI URL

Published: 22 May 2026 · Updated: 30 May 2026 · First seen: 22 May 2026