Primary

Context

Go Constraint Extension Serialization Vulnerability in x/crypto/ssh/agent

Vulnerability

A vulnerability exists in the Go programming language's x/crypto/ssh/agent package, prior to version 0.52.0, where constraint extensions were not properly serialized when adding keys to a remote agent. This oversight allowed destination restrictions to be silently removed, enabling unrestricted use of the keys on remote hosts. The issue has been addressed by ensuring that all constraint extensions are serialized and by modifying the NewKeyring() function to reject keys with unsupported constraint extensions.

Impact

The vulnerability allowed for unrestricted use of keys on remote hosts by stripping destination restrictions when forwarding keys from the client to the agent.

Remediation

Users can update to Go version v0.52.0 or later, where this vulnerability has been fixed.

Added: May 22, 2026, 4:29 AM

Updated: May 22, 2026, 4:29 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

8.1

remediation

0.0

relevance

8.9

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

8.1

remediation

0.0

relevance

8.9

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Constraint Extension Serialization Vulnerability in x/crypto/ssh/agent

Vulnerability

Impact

Remediation

Affected Products

golang.org/x/crypto/ssh/agent

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating