Primary

Context

Golang In-Memory Keyring Key Constraint Bypass Vulnerability

Vulnerability

A vulnerability exists in the in-memory keyring provided by the Golang crypto package's SSH agent. The NewKeyring() function accepted keys with the ConfirmBeforeUse constraint but failed to enforce it, allowing keys to sign without confirmation. This issue has been addressed in version v0.52.0, where NewKeyring() now returns an error for unsupported constraints.

Impact

Exploitation of this vulnerability allows keys to be used for signing operations without the required confirmation, potentially leading to unauthorized actions or decisions based on the unsigned keys.

Remediation

Users can update to version v0.52.0 of the Golang crypto package to address this vulnerability.

Added: May 22, 2026, 4:39 AM

Updated: May 22, 2026, 4:39 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

8.8

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

8.8

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Golang In-Memory Keyring Key Constraint Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang.org/x/crypto/ssh/agent

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating