2480688 – (CVE-2026-42508) CVE-2026-42508 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey

Bug 2480688 (CVE-2026-42508) - CVE-2026-42508 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey

Summary: CVE-2026-42508 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypt...

Keywords:
Status:	NEW
Alias:	CVE-2026-42508
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2489773
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-22 04:02 UTC by OSIDB Bzimport
Modified:	2026-06-23 10:38 UTC (History)
CC List:	56 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-22 04:02:12 UTC

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Note You need to log in before you can comment on or make changes to this bug.

alcohan
amctagga
anjoseph
aoconnor
bbrownin
bdettelb
bniver
dhanak
doconnor
drosa
dsimansk
dymurray
eborisov
eglynn
fdeutsch
flucifre
gmeno
gparvin
groman
jbalunas
jjoyce
jkoehler
jmatthew
jprabhak
jpretori
jschluet
kingland
kverlaen
lball
lgamliel
lhh
lphiri
manissin
mbenjamin
mburns
mgarciac
mhackett
mnovotny
ngough
oramraz
pahickey
rfreiman
rhaigner
rhel-process-autobot
rjohnson
sausingh
sdawley
smullick
sostapov
stirabos
thason
vereddy
veshanka
watson-tool-maintainers
whayutin
wtam