{"id":"GO-2021-0356","summary":"Denial of service via crafted Signer in golang.org/x/crypto/ssh","details":"Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that\n1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and\n2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method.\n\nServers that only use Signer implementations provided by the ssh package are unaffected.","aliases":["CVE-2022-27191","GHSA-8c26-wmh5-6g9v"],"modified":"2026-02-04T02:54:42.180263Z","published":"2022-04-25T20:38:40Z","related":["CGA-cqvw-g26v-5q76"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2021-0356"},"references":[{"type":"FIX","url":"https://go.dev/cl/392355"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s"}],"affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go","purl":"pkg:golang/golang.org/x/crypto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220314234659-1baeb1ce4c0b"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["ServerConfig.AddHostKey"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0356.json"}}],"schema_version":"1.7.3"}