Vulnerability Description
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.
References
- https://go.dev/cl/781320
- https://go.dev/issue/35127
- https://groups.google.com/g/golang-announce/c/a082jnz-LvI
- https://pkg.go.dev/vuln/GO-2026-5016
FAQ
What is CVE-2026-39827?
CVE-2026-39827 is a documented vulnerability. An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. ...
How severe is CVE-2026-39827?
CVSS scoring is not yet available for CVE-2026-39827. Check NVD for updates.
Is there a patch for CVE-2026-39827?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.