Primary

Context

Go AES-GCM Packet Decoder Panic Vulnerability

Vulnerability

Patched

A vulnerability in the AES-GCM packet decoder of the Go programming language's cryptography package can lead to a server-side panic. This issue arises from an incorrectly placed cast from bytes to int, which allows for well-crafted inputs to cause a panic on the server.

Impact

Exploitation of this vulnerability causes a server-side panic, disrupting the normal operation of the application.

Remediation

Users can update to version v0.52.0 of golang.org/x/crypto to address this vulnerability.

Added: May 22, 2026, 4:22 AM

Updated: May 22, 2026, 4:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

8.8

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

8.8

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go AES-GCM Packet Decoder Panic Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang.org/x/crypto/ssh

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating