{"id":"USN-8447-1","summary":"golang-go.crypto vulnerabilities","details":"It was discovered that Go Cryptography did not properly handle SSH global\nrequest responses. A remote attacker could possibly use this issue to cause\na denial of service. (CVE-2026-39830)\n\nIt was discovered that Go Cryptography did not properly verify user\npresence when using FIDO/U2F security keys. An attacker could possibly use\nthis issue to bypass user presence verification for hardware security keys.\nThis issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04\nLTS, and Ubuntu 26.04 LTS. (CVE-2026-39831)\n\nIt was discovered that Go Cryptography did not properly serialize SSH agent\nkey constraint extensions. An attacker could possibly use this issue to\nbypass intended key usage restrictions. This issue only affected Ubuntu\n20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.\n(CVE-2026-39832)\n\nIt was discovered that Go Cryptography did not properly enforce the\nconfirm-before-use constraint in the SSH agent keyring. An attacker could\npossibly use this issue to use SSH keys without the required user\nconfirmation. (CVE-2026-39833)\n\nIt was discovered that Go Cryptography had an integer overflow when\nhandling large SSH channel writes. A remote attacker could possibly use\nthis issue to cause a denial of service. (CVE-2026-39834)\n\nIt was discovered that Go Cryptography did not properly check certificate\nauthority key revocation. An attacker could possibly use this issue to\nbypass certificate authority revocation checks. This issue only affected\nUbuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and\nUbuntu 26.04 LTS. (CVE-2026-42508)\n\nIt was discovered that Go Cryptography did not properly enforce the source-\naddress critical option for all SSH server callback types. An attacker\ncould possibly use this issue to bypass source address authorization\nrestrictions. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-46595)","modified":"2026-06-17T20:33:57.819488988Z","published":"2026-06-17T13:43:39Z","related":["UBUNTU-CVE-2026-39830","UBUNTU-CVE-2026-39831","UBUNTU-CVE-2026-39832","UBUNTU-CVE-2026-39833","UBUNTU-CVE-2026-39834","UBUNTU-CVE-2026-42508","UBUNTU-CVE-2026-46595"],"upstream":["CVE-2026-39830","CVE-2026-39831","CVE-2026-39832","CVE-2026-39833","CVE-2026-39834","CVE-2026-42508","CVE-2026-46595","UBUNTU-CVE-2026-39830","UBUNTU-CVE-2026-39831","UBUNTU-CVE-2026-39832","UBUNTU-CVE-2026-39833","UBUNTU-CVE-2026-39834","UBUNTU-CVE-2026-42508","UBUNTU-CVE-2026-46595"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8447-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-39830"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-39831"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-39832"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-39833"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-39834"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-42508"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-46595"}],"affected":[{"package":{"name":"golang-go.crypto","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/golang-go.crypto?arch=source&distro=esm-infra-legacy%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.0~git20151201.0.7b85b09-2ubuntu0.1~esm2"}]}],"versions":["1:0.0~git20150608-1","1:0.0~git20151201.0.7b85b09-2","1:0.0~git20151201.0.7b85b09-2ubuntu0.1~esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro","binaries":[{"binary_version":"1:0.0~git20151201.0.7b85b09-2ubuntu0.1~esm2","binary_name":"golang-go.crypto-dev"},{"binary_name":"golang-golang-x-crypto-dev","binary_version":"1:0.0~git20151201.0.7b85b09-2ubuntu0.1~esm2"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-39830","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39833","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39834","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8447-1.json"}},{"package":{"name":"golang-go.crypto","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/golang-go.crypto?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.0~git20170629.0.5ef0053-2ubuntu0.1~esm2"}]}],"versions":["1:0.0~git20170629.0.5ef0053-1ubuntu1","1:0.0~git20170629.0.5ef0053-1ubuntu2","1:0.0~git20170629.0.5ef0053-2","1:0.0~git20170629.0.5ef0053-2ubuntu0.1~esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"golang-go.crypto-dev","binary_version":"1:0.0~git20170629.0.5ef0053-2ubuntu0.1~esm2"},{"binary_name":"golang-golang-x-crypto-dev","binary_version":"1:0.0~git20170629.0.5ef0053-2ubuntu0.1~esm2"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-39830","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39833","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39834","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-42508","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:18.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8447-1.json"}},{"package":{"name":"golang-go.crypto","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/golang-go.crypto?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.0~git20200221.2aa609c-1ubuntu0.1~esm2"}]}],"versions":["1:0.0~git20190701.4def268-2","1:0.0~git20200221.2aa609c-1","1:0.0~git20200221.2aa609c-1ubuntu0.1~esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"golang-golang-x-crypto-dev","binary_version":"1:0.0~git20200221.2aa609c-1ubuntu0.1~esm2"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-39830","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39831","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39832","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39833","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39834","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-42508","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:20.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8447-1.json"}},{"package":{"name":"golang-go.crypto","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/golang-go.crypto?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.0~git20211202.5770296-1ubuntu0.1~esm2"}]}],"versions":["1:0.0~git20201221.eec23a3-1","1:0.0~git20211202.5770296-1","1:0.0~git20211202.5770296-1ubuntu0.1~esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1:0.0~git20211202.5770296-1ubuntu0.1~esm2","binary_name":"golang-golang-x-crypto-dev"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-39830","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39831","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39832","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39833","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39834","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-42508","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8447-1.json"}},{"package":{"name":"golang-go.crypto","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/golang-go.crypto?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.19.0-1ubuntu0.1~esm2"}]}],"versions":["1:0.4.0-1","1:0.17.0-1","1:0.18.0-1","1:0.19.0-1","1:0.19.0-1ubuntu0.1~esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1:0.19.0-1ubuntu0.1~esm2","binary_name":"golang-golang-x-crypto-dev"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-39830","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39831","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39832","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39833","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39834","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-42508","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8447-1.json"}},{"package":{"name":"golang-go.crypto","ecosystem":"Ubuntu:Pro:26.04:LTS","purl":"pkg:deb/ubuntu/golang-go.crypto?arch=source&distro=esm-apps%2Fresolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.47.0-1ubuntu0.1~esm1"}]}],"versions":["1:0.25.0-1","1:0.45.0-1","1:0.47.0-1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1:0.47.0-1ubuntu0.1~esm1","binary_name":"golang-golang-x-crypto-dev"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-39830","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39831","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39832","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39833","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-39834","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-42508","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-46595","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:26.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8447-1.json"}}],"schema_version":"1.7.5"}