Bug 2480685 (CVE-2026-39832)

Summary: CVE-2026-39832 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alcohan, amctagga, anjoseph, aoconnor, aruklets, bdettelb, bniver, dakwon, dhanak, dkeler, doconnor, drosa, dsimansk, dymurray, eborisov, eglynn, fdeutsch, flucifre, gmeno, gparvin, groman, jbalunas, jjoyce, jkoehler, jmatthew, jprabhak, jpretori, jschluet, kingland, kverlaen, lball, lgamliel, lhh, lphiri, manissin, mbenjamin, mburns, mgarciac, mhackett, mnovotny, ngough, oramraz, pahickey, rfreiman, rhaigner, rhel-process-autobot, rjohnson, sausingh, sbratsla, sdawley, smullick, sostapov, stirabos, suppawar, thason, vereddy, veshanka, watson-tool-maintainers, whayutin, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the unrestricted use of the key on the remote host. This vulnerability could enable an attacker to bypass intended security controls and perform unauthorized actions.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2493051, 2493052, 2493053, 2493054, 2493055, 2493056, 2493057, 2493059, 2493061, 2493063, 2493064, 2493065, 2493068, 2493069, 2493070, 2493071, 2493072, 2493073, 2493076, 2493077, 2493078, 2493079, 2493080, 2493083, 2493085, 2493087, 2493089, 2493090, 2493091, 2493093, 2493094, 2493095, 2493096, 2493058, 2493060, 2493062, 2493066, 2493067, 2493074, 2493075, 2493081, 2493082, 2493084, 2493086, 2493088, 2493092, 2493097    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-22 04:02:03 UTC
When adding a key to a remote agent constraint extensions such as restrict-destination-v00 were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Comment 2 errata-xmlrpc 2026-07-06 04:52:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:35833 https://access.redhat.com/errata/RHSA-2026:35833

Comment 3 errata-xmlrpc 2026-07-07 13:00:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:36199 https://access.redhat.com/errata/RHSA-2026:36199

Comment 4 errata-xmlrpc 2026-07-08 15:51:10 UTC
This issue has been addressed in the following products:

  RHEM 1.0 for RHEL 9

Via RHSA-2026:36796 https://access.redhat.com/errata/RHSA-2026:36796

Comment 5 errata-xmlrpc 2026-07-09 05:14:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:37072 https://access.redhat.com/errata/RHSA-2026:37072

Comment 6 errata-xmlrpc 2026-07-09 07:15:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:37123 https://access.redhat.com/errata/RHSA-2026:37123

Comment 7 errata-xmlrpc 2026-07-09 18:37:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:37410 https://access.redhat.com/errata/RHSA-2026:37410

Comment 8 errata-xmlrpc 2026-07-16 14:32:01 UTC
This issue has been addressed in the following products:

  RHEM 1.1 for RHEL 10
  RHEM 1.1 for RHEL 9

Via RHSA-2026:41019 https://access.redhat.com/errata/RHSA-2026:41019