CVE-2026-39833

Summary

Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

Severity

medium

EPSS

0.3% (p21)

Also known as

GO-2026-5005

Published

2026-05-22

References

• https://go.dev/issue/79436
• https://go.dev/cl/778640
• https://go.dev/cl/778641

Related advisories

• CVE-2026-39832 — medium · Go/golang.org/x/crypto
• CVE-2026-39834 — medium · Go/golang.org/x/crypto
• CVE-2026-39827 — medium · Go/golang.org/x/crypto
• CVE-2026-39830 — medium · Go/golang.org/x/crypto
• CVE-2026-42508 — medium · Go/golang.org/x/crypto
• CVE-2026-39829 — medium · Go/golang.org/x/crypto
• CVE-2026-39828 — medium · Go/golang.org/x/crypto
• CVE-2026-39835 — medium · Go/golang.org/x/crypto

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity