Bug 2480684 (CVE-2026-39830) - CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
Summary: CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Se...
Keywords:
Status: NEW
Alias: CVE-2026-39830
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2490391 2490393 2490394 2490395 2490398 2490401 2490404 2490407 2490410 2490411 2490414 2490415 2490417 2490418 2490419 2490421 2490423 2490424 2490425 2490427 2490428 2490429 2490432 2490433 2490434 2490435 2490436 2490438 2490440 2490443 2490444 2490445 2490446 2490448 2490451 2490452 2490453 2490454 2490457 2490459 2490460 2490462 2490467 2490469 2490470 2490471 2490472 2490473 2490475 2490476 2490477 2490480 2490481 2490482 2490483 2490484 2490485 2490487 2490491 2490492 2490493 2490494 2490495 2490496 2490499 2490500 2490501 2490392 2490396 2490402 2490409 2490416 2490420 2490422 2490426 2490430 2490431 2490437 2490439 2490441 2490442 2490447 2490449 2490456 2490464 2490466 2490478 2490479 2490486 2490488 2490489 2490490 2490497 2490498
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-22 04:02 UTC by OSIDB Bzimport
Modified: 2026-07-16 14:32 UTC (History)
77 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:29455 0 None None None 2026-06-24 23:49:34 UTC
Red Hat Product Errata RHSA-2026:35833 0 None None None 2026-07-06 04:52:39 UTC
Red Hat Product Errata RHSA-2026:36199 0 None None None 2026-07-07 13:00:23 UTC
Red Hat Product Errata RHSA-2026:36796 0 None None None 2026-07-08 15:51:13 UTC
Red Hat Product Errata RHSA-2026:37072 0 None None None 2026-07-09 05:14:29 UTC
Red Hat Product Errata RHSA-2026:41019 0 None None None 2026-07-16 14:32:12 UTC

Description OSIDB Bzimport 2026-05-22 04:02:01 UTC
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Comment 2 errata-xmlrpc 2026-06-24 23:49:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:29455 https://access.redhat.com/errata/RHSA-2026:29455

Comment 4 errata-xmlrpc 2026-07-06 04:52:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:35833 https://access.redhat.com/errata/RHSA-2026:35833

Comment 5 errata-xmlrpc 2026-07-07 13:00:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:36199 https://access.redhat.com/errata/RHSA-2026:36199

Comment 8 errata-xmlrpc 2026-07-08 15:51:09 UTC
This issue has been addressed in the following products:

  RHEM 1.0 for RHEL 9

Via RHSA-2026:36796 https://access.redhat.com/errata/RHSA-2026:36796

Comment 9 errata-xmlrpc 2026-07-09 05:14:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:37072 https://access.redhat.com/errata/RHSA-2026:37072

Comment 10 errata-xmlrpc 2026-07-16 14:32:08 UTC
This issue has been addressed in the following products:

  RHEM 1.1 for RHEL 10
  RHEM 1.1 for RHEL 9

Via RHSA-2026:41019 https://access.redhat.com/errata/RHSA-2026:41019


Note You need to log in before you can comment on or make changes to this bug.