Primary

Context

Go CertChecker Public Key Callback Panic Vulnerability in SSH Servers

Vulnerability

Patched

A vulnerability exists in SSH servers using CertChecker as a public key callback, specifically in versions of the Go crypto package prior to v0.52.0. If the IsUserAuthority or IsHostAuthority settings are not configured, the server could panic when a client presents a certificate. This issue has been addressed by modifying CertChecker to return an error instead of causing a panic when these authority callbacks are not set.

Impact

Exploitation of this vulnerability leads to a server panic, causing a disruption in the SSH service and potentially affecting all connected users.

Remediation

Users can update to Go version v0.52.0 or later, where this vulnerability has been fixed.

Added: May 22, 2026, 4:25 AM

Updated: May 22, 2026, 4:25 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

9.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

9.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go CertChecker Public Key Callback Panic Vulnerability in SSH Servers

Vulnerability

Impact

Remediation

Affected Products

golang.org/x/crypto/ssh

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating