CVE-2025-47914

NameCVE-2025-47914
DescriptionSSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1121091

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-go.crypto (PTS)bullseye1:0.0~git20201221.eec23a3-1vulnerable
bookworm1:0.4.0-1vulnerable
trixie1:0.25.0-1vulnerable
forky, sid1:0.43.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-go.cryptosource(unstable)(unfixed)1121091

Notes

[bullseye] - golang-go.crypto <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA?pli=1
https://github.com/golang/go/issues/76364
Fixed by: https://github.com/golang/crypto/commit/f91f7a7c31bf90b39c1de895ad116a2bacc88748 (v0.45.0)
Search for package or bug name: Reporting problems