Ten Vulnerabilities. One Library. One Day.
On June 25, 2026, the Go security team published ten CVEs for golang.org/x/crypto, the SSH library that underpins virtually every Go application that handles remote access, deployment, and infrastructure management. All ten were patched in v0.52.0. The coordinated disclosure suggests the vulnerabilities were found together — a systematic audit that revealed systemic problems, not isolated bugs.
The most severe, CVE-2026-46595, received a CVSS score of 10.0 — the maximum possible. It allows complete bypass of VerifiedPublicKeyCallback, the function that enforces whether a user's public key is authorized to access a server. When this function says 'deny,' the server lets the connection through anyway. Authentication is not weakened. It is absent.
The Hardware Key That Didn't Ask Permission
CVE-2026-39831 is the most unsettling vulnerability in the batch. FIDO/U2F hardware security keys are designed with one non-negotiable guarantee: they require physical human touch to sign an authentication challenge. You press the button. The key signs. No press, no signature. This is the entire security model.
The Go SSH implementation broke that guarantee. An attacker could trigger authentication using a forwarded hardware key without the key owner physically touching it. The security key — the device organisations deploy specifically because it provides proof of human presence — signed silently. The user never knew their key was used.
Two related agent-forwarding vulnerabilities compound the problem. CVE-2026-39832 silently strips destination restrictions when forwarding SSH keys, meaning a key that should only work for server A can be redirected to server B. CVE-2026-39833 silently ignores the ConfirmBeforeUse constraint — the agent signs without prompting the user, even when the key was configured to always ask first.
Why This Matters Beyond Go
Go's x/crypto/ssh library is not an obscure dependency. It is the SSH implementation for the Go ecosystem. That means it runs inside HashiCorp Vault, Terraform, Consul. It runs inside Kubernetes controllers, cloud CLIs, CI/CD pipelines, container orchestrators, and deployment tools. When WebPulse tracks framework infrastructure, the tools that deploy those frameworks run on Go.
Hugo — the static site generator that WebPulse scores as having zero CVEs — is written in Go. Hugo itself is not affected because it does not use the SSH library directly. But the deployment pipelines that build and ship Hugo sites do. The CI/CD server that runs hugo build, the SSH connection that rsyncs the output to production, the Git operations that pull the repository — those use x/crypto/ssh. Hugo's zero-CVE record is accurate for the framework itself. The infrastructure that moves Hugo sites from source to production just had ten holes punched through it.
The Denial-of-Service Cluster
Three of the ten CVEs enable denial of service. CVE-2026-39834 triggers an infinite loop on large channel writes via integer overflow — any SSH connection transferring more than 4GB of data can lock the server. CVE-2026-39830 causes server deadlock through unsolicited global request responses. CVE-2026-39829 allows RSA/DSA key verification to consume minutes of CPU by sending keys with no modulus size limit. An attacker can crash any Go SSH server by sending it a large key.
CVE-2026-46597 causes a panic in the AES-GCM packet decoder via arithmetic underflow — a single malformed packet crashes the server. CVE-2026-39827 leaks memory on rejected channels until the server runs out of RAM. Together, these five vulnerabilities mean an attacker can crash a Go SSH server in at least five different ways, using five different entry points, without authenticating.
The Lesson
Go is memory-safe. It does not have buffer overflows. It does not have use-after-free. The security narrative around Go has been that choosing it eliminates entire vulnerability classes. That narrative is correct — and incomplete. These ten CVEs are not memory safety failures. They are logic errors: authentication checks that don't enforce, constraints that are silently dropped, size limits that don't exist, error paths that panic instead of returning.
Memory safety is necessary. It is not sufficient. The Go SSH library passed every memory safety guarantee Go provides and still allowed unauthenticated access, hardware key theft, and five distinct paths to server crash. Organisations that chose Go infrastructure specifically for its safety guarantees need to patch to v0.52.0 immediately — and recalibrate what 'safe' actually means.
