CVE-2026-39835

Severity CVSS v4.0:
Pending analysis
Type:
CWE-295 Improper Certificate Validation
Publication date:
22/05/2026
Last modified:
03/07/2026

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:* 0.52.0 (excluding)