CVE-2026-39830
cAdvisor 脆弱性の分析と軽減

概要

CVE-2026-39830 is a denial-of-service vulnerability in Go's golang.org/x/crypto/ssh package where a malicious SSH peer can send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop indefinitely. The blocked goroutine cannot be released even by calling Close(), resulting in a resource leak per connection. All versions of golang.org/x/crypto before 0.52.0 are affected. The vulnerability was published on May 22, 2026, and carries a CVSS v3.1 base score of 9.1 (Critical) (pkg.go.dev, EUVD).

技術的な詳細

The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The Go SSH library's connection read loop processes incoming SSH messages, including global request responses, without discarding unsolicited ones. A malicious SSH peer — acting as either a client or server — can flood the internal response channel buffer with unsolicited global request responses, causing the goroutine handling the read loop to block permanently. Because the goroutine cannot be unblocked via Close(), each such connection results in a persistent goroutine and resource leak. The fix, introduced in version 0.52.0, discards unsolicited global responses rather than queuing them (pkg.go.dev, Go Issue, Go CL 781640).

影響

Successful exploitation allows an unauthenticated network attacker to cause a denial of service by hanging SSH connections and leaking goroutine resources on the affected server or client. Over multiple connections, this can exhaust system memory and goroutine limits, effectively crashing or rendering unresponsive any Go application using the golang.org/x/crypto/ssh package for SSH communication. Confidentiality impact is rated High by NVD (CVSS), though the primary real-world consequence is availability loss; there is no evidence of direct data exfiltration via this vector (pkg.go.dev, EUVD).

エクスプロイテーションのステップ

  1. Reconnaissance: Identify services built with Go that use golang.org/x/crypto/ssh versions prior to 0.52.0 — this includes SSH servers, clients, or any application embedding Go SSH functionality (e.g., Portainer, rclone, Pulumi Kubernetes provider).
  2. Establish SSH connection: Initiate a standard SSH connection to the target service. No credentials are required to begin the protocol handshake.
  3. Send unsolicited global request responses: During or after the SSH handshake, send a high volume of SSH SSH_MSG_REQUEST_SUCCESS or SSH_MSG_REQUEST_FAILURE messages (global request responses) that were never requested by the server.
  4. Fill internal buffer: The target's read loop goroutine attempts to queue these responses into an internal channel buffer. Once the buffer is full, the goroutine blocks indefinitely.
  5. Trigger resource leak: Repeat across multiple connections. Each blocked goroutine cannot be freed by Close(), causing cumulative goroutine and memory leaks that degrade or crash the target service (Go Issue, pkg.go.dev).

妥協の兆候

  • Network: Unusual volume of SSH connections from a single source IP that do not complete normal authentication flows; connections that remain open indefinitely without activity.
  • Process/Runtime: Rapidly increasing goroutine count in Go application metrics (e.g., runtime.NumGoroutine() growing unboundedly); elevated memory consumption in SSH-serving Go processes.
  • Logs: SSH connection log entries showing connections established but never cleanly terminated; absence of normal disconnect or timeout log entries for established sessions.
  • System: Increasing file descriptor usage associated with the Go SSH process; system-level OOM (out-of-memory) events or process crashes in applications using golang.org/x/crypto/ssh (Go Issue, oss-sec).

軽減策と回避策

The primary remediation is to update golang.org/x/crypto to version 0.52.0 or later, which discards unsolicited global SSH responses instead of queuing them. Applications and distributions that bundle this package — including rclone, Portainer, Pulumi Kubernetes provider, and others — should update to their respective patched releases. As a network-level workaround, restrict SSH access to trusted peers only using firewall rules or network segmentation to reduce exposure until patching is complete (pkg.go.dev, Go CL 781640, Go CL 781664).

コミュニティの反応

The Go security team disclosed the vulnerability via the golang-announce mailing list and published a Go vulnerability database entry (GO-2026-5017). The issue was also discussed on the oss-security mailing list. Multiple Linux distributions including openSUSE and Amazon Linux 2/2023 issued security advisories and package updates. Downstream projects such as rclone, Portainer, and Pulumi Kubernetes provider have released patched versions incorporating the fix (golang-announce, oss-sec, rclone changelog, Portainer release).

関連情報


ソースこのレポートは AI を使用して生成されました

関連 cAdvisor 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
いいえはいJul 08, 2026
CVE-2026-42306HIGH7.2
  • cAdvisor logocAdvisor
  • paketo-buildpacks-miniconda
いいえはいJun 12, 2026
CVE-2026-41568MEDIUM6.1
  • cAdvisor logocAdvisor
  • beats-fips-9.4
いいえはいJun 12, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
いいえはいJul 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • gpu-operator-26.3
いいえはいJul 01, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者