CVE-2026-39834

Vulnerability Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

References

https://go.dev/cl/781663
https://go.dev/issue/79567
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5020

FAQ

What is CVE-2026-39834?

CVE-2026-39834 is a documented vulnerability. When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packe...

How severe is CVE-2026-39834?

CVSS scoring is not yet available for CVE-2026-39834. Check NVD for updates.

Is there a patch for CVE-2026-39834?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.