Bug 2480683 (CVE-2026-39833) - CVE-2026-39833 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation
Summary: CVE-2026-39833 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: ...
Keywords:
Status: NEW
Alias: CVE-2026-39833
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2494432 2494433 2494434 2494435 2494438 2494439 2494440 2494442 2494443 2494444 2494446 2494447 2494449 2494450 2494451 2494453 2494454 2494455 2494456 2494458 2494459 2494460 2494461 2494462 2494463 2494464 2494465 2494466 2494467 2494468 2494469 2494470 2494471 2494473 2494436 2494437 2494441 2494445 2494448 2494452 2494457 2494472
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-22 04:01 UTC by OSIDB Bzimport
Modified: 2026-07-13 16:15 UTC (History)
169 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-22 04:01:58 UTC
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.


Note You need to log in before you can comment on or make changes to this bug.