Skip to content

golang.org/x/crypto-v0.22.0: 18 vulnerabilities (highest severity is: 10.0) #18

Open
Open
golang.org/x/crypto-v0.22.0: 18 vulnerabilities (highest severity is: 10.0)#18
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Dec 12, 2024
Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (golang.org/x/crypto-v0.22.0 version) Remediation Possible**
CVE-2026-46595 Critical 10.0 golang.org/x/crypto-v0.22.0 Direct https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0
CVE-2026-42508 Critical 9.1 golang.org/x/crypto-v0.22.0 Direct https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0
CVE-2026-39834 Critical 9.1 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0
CVE-2026-39833 Critical 9.1 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0
CVE-2026-39832 Critical 9.1 golang.org/x/crypto-v0.22.0 Direct https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0
CVE-2026-39831 Critical 9.1 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0
CVE-2026-39830 Critical 9.1 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0
CVE-2026-46597 High 7.5 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0
CVE-2026-39829 High 7.5 golang.org/x/crypto-v0.22.0 Direct https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0
CVE-2025-47913 High 7.5 golang.org/x/crypto-v0.22.0 Direct https://github.com/golang/crypto.git - v0.43.0
CVE-2025-22869 High 7.5 golang.org/x/crypto-v0.22.0 Direct v0.35.0
CVE-2024-45337 High 7.4 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.31.0
CVE-2026-39827 Medium 6.5 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0
CVE-2026-39828 Medium 6.3 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0
CVE-2026-46598 Medium 5.3 golang.org/x/crypto-v0.22.0 Direct https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0
CVE-2026-39835 Medium 5.3 golang.org/x/crypto-v0.22.0 Direct https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0
CVE-2025-58181 Medium 5.3 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.45.0
CVE-2025-47914 Medium 5.3 golang.org/x/crypto-v0.22.0 Direct golang.org/x/crypto - v0.45.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-46595

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Publish Date: 2026-05-22

URL: CVE-2026-46595

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-42508

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @⁠revoked.

Publish Date: 2026-05-22

URL: CVE-2026-42508

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-39834

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Publish Date: 2026-05-22

URL: CVE-2026-39834

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5020

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-39833

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Publish Date: 2026-05-22

URL: CVE-2026-39833

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5005

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-39832

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Publish Date: 2026-05-22

URL: CVE-2026-39832

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-39831

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Publish Date: 2026-05-22

URL: CVE-2026-39831

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5019

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-39830

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Publish Date: 2026-05-22

URL: CVE-2026-39830

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5017

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-46597

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Publish Date: 2026-05-22

URL: CVE-2026-46597

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5013

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-39829

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Publish Date: 2026-05-22

URL: CVE-2026-39829

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2025-47913

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Publish Date: 2025-11-13

URL: CVE-2025-47913

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-13

Fix Resolution: https://github.com/golang/crypto.git - v0.43.0

Step up your Open Source Security Game with Mend here

CVE-2025-22869

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Publish Date: 2025-02-26

URL: CVE-2025-22869

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2025-3487

Release Date: 2025-02-26

Fix Resolution: v0.35.0

Step up your Open Source Security Game with Mend here

CVE-2024-45337

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@⁠v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Publish Date: 2024-12-11

URL: CVE-2024-45337

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v778-237x-gjrc

Release Date: 2024-12-11

Fix Resolution: golang.org/x/crypto - v0.31.0

Step up your Open Source Security Game with Mend here

CVE-2026-39827

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Publish Date: 2026-05-22

URL: CVE-2026-39827

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5016

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-39828

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Publish Date: 2026-05-22

URL: CVE-2026-39828

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5014

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-46598

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Publish Date: 2026-05-22

URL: CVE-2026-46598

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2026-39835

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

Publish Date: 2026-05-22

URL: CVE-2026-39835

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

Step up your Open Source Security Game with Mend here

CVE-2025-58181

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Publish Date: 2025-11-19

URL: CVE-2025-58181

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-19

Fix Resolution: golang.org/x/crypto - v0.45.0

Step up your Open Source Security Game with Mend here

CVE-2025-47914

Vulnerable Library - golang.org/x/crypto-v0.22.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.22.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • golang.org/x/crypto-v0.22.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Publish Date: 2025-11-19

URL: CVE-2025-47914

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-19

Fix Resolution: golang.org/x/crypto - v0.45.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions