golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
Moderate severity
GitHub Reviewed
Published
Jun 25, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Description
Published by the National Vulnerability Database
May 22, 2026
Published to the GitHub Advisory Database
Jun 25, 2026
Reviewed
Jun 25, 2026
Last updated
Jul 1, 2026
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
References