CVE-2026-39834

NameCVE-2026-39834
DescriptionWhen writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1137516

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-go.crypto (PTS)bullseye1:0.0~git20201221.eec23a3-1vulnerable
bookworm1:0.4.0-1vulnerable
trixie1:0.25.0-1vulnerable
forky, sid1:0.52.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-go.cryptosource(unstable)1:0.52.0-11137516

Notes

[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
https://www.openwall.com/lists/oss-security/2026/05/22/6
https://github.com/golang/go/issues/79567
Search for package or bug name: Reporting problems