CVE-2026-46597 PUBLISHED

Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh

Assigner: Go
Reserved: 15.05.2026 Published: 22.05.2026 Updated: 22.05.2026

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Product Status

Vendor golang.org/x/crypto
Product golang.org/x/crypto/ssh
Versions Default: unaffected
  • affected from 0 to 0.52.0 (excl.)

Credits

  • Maciej Kawka

References

Problem Types

  • CWE-191: Integer Underflow (Wrap or Wraparound)