Volerion logoVolerion
Volerion logoVolerion

Go Knownhosts Revoked Signature Key Revocation Check Vulnerability

Vulnerability

A vulnerability exists in the Go programming language's cryptography package, specifically in the SSH known hosts handling. Previously, revoked 'SignatureKey' entries from Certificate Authorities (CAs) were not properly validated for revocation. This oversight could lead to authentication bypasses by allowing revoked keys to be erroneously accepted. The issue has been addressed by ensuring that both the 'key' and 'key.SignatureKey' are now checked for revocation status. This vulnerability affects all versions of 'golang.org/x/crypto' prior to v0.52.0.

Impact

The vulnerability could lead to an authentication bypass by allowing revoked keys to be accepted, potentially undermining certificate-based restrictions in SSH operations.

Remediation

Users can update to version v0.52.0 of 'golang.org/x/crypto' to address this vulnerability.

Added: May 22, 2026, 4:25 AM
Updated: May 22, 2026, 4:25 AM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
7.0
remediation
0.0
relevance
9.0
threat
3.2
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.