Primary

Context

Go Programming Language Ed25519 Private Key Panic Vulnerability in SSH Agent

Vulnerability

Patched

A vulnerability exists in the Go programming language's SSH agent implementation, specifically in the 'golang.org/x/crypto/ssh/agent' package, prior to version 0.52.0. This vulnerability arises from the creation of an 'ed25519.PrivateKey' by improperly casting malformed wire bytes. When this malformed key is used, it causes a panic, disrupting the application's normal operation.

Impact

Exploitation of this vulnerability leads to a panic in the SSH client, causing a disruption in service.

Remediation

Users can update to Go version v0.52.0 or later, where this vulnerability has been addressed.

Added: May 22, 2026, 4:22 AM

Updated: May 22, 2026, 4:22 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

8.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

8.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Programming Language Ed25519 Private Key Panic Vulnerability in SSH Agent

Vulnerability

Impact

Remediation

Affected Products

Go

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating