CVE-2026-46598 PUBLISHED

Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

Assigner: Go
Reserved: 15.05.2026 Published: 22.05.2026 Updated: 22.05.2026

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Product Status

Vendor golang.org/x/crypto
Product golang.org/x/crypto/ssh/agent
Versions Default: unaffected
  • affected from 0 to 0.52.0 (excl.)

Credits

  • NCC Group Cryptography Services, sponsored by Teleport

References

Problem Types

  • CWE-129: Improper Validation of Array Index