CVE-2026-39834
cAdvisor 脆弱性の分析と軽減

概要

CVE-2026-39834 is an integer overflow vulnerability in the golang.org/x/crypto/ssh package that causes an infinite loop when writing data larger than 4GB in a single SSH channel Write call. The flaw affects all versions of golang.org/x/crypto prior to 0.52.0. It was published on May 22, 2026, and has a CVSS v3.1 base score of 9.1 (Critical) with no authentication required for exploitation (pkg.go.dev, Feedly).

技術的な詳細

The root cause is an integer overflow (CWE-190) in the internal payload size calculation within the SSH channel write loop of golang.org/x/crypto/ssh. When a caller passes a buffer exceeding 4GB (the 32-bit integer boundary), the size variable truncates, causing the loop condition to never advance — resulting in an infinite loop that continuously sends empty SSH packets. The fix, applied in Go change list 781663, replaces the size comparison variable type with int64 to prevent truncation. The vulnerability is reachable over the network without authentication, as an attacker only needs to establish an SSH connection and trigger a large write operation (pkg.go.dev, oss-sec).

影響

Successful exploitation causes the affected SSH channel's write loop to spin indefinitely, consuming CPU and potentially exhausting server resources, resulting in a denial of service for legitimate users. Because no authentication is required, any network-accessible service built on golang.org/x/crypto/ssh — including tools like rclone, Portainer, and Pulumi Kubernetes — is potentially affected. Integrity is also rated HIGH in the CVSS score, reflecting the possibility that the infinite loop disrupts data transmission guarantees on the SSH channel (Feedly, pkg.go.dev).

エクスプロイテーションのステップ

  1. Reconnaissance: Identify services built on golang.org/x/crypto/ssh versions prior to 0.52.0 that are exposed to the network (e.g., using Shodan, Censys, or banner grabbing to identify Go-based SSH services).
  2. Establish SSH connection: Initiate a standard SSH connection to the target service. No credentials are required if the service accepts unauthenticated connections or if credentials are otherwise available.
  3. Open an SSH channel: After connection, open an SSH channel (e.g., a session or direct-tcpip channel) as part of the normal SSH protocol handshake.
  4. Trigger large Write call: Send a single Write call on the SSH channel with a payload exceeding 4GB (2^32 bytes). This causes the internal int32 size variable to overflow and truncate to zero or a small value.
  5. Induce infinite loop: The truncated size causes the write loop's progress condition to never be satisfied, locking the goroutine in an infinite loop sending empty packets and consuming server CPU/resources, resulting in denial of service (pkg.go.dev, oss-sec).

妥協の兆候

  • Network: Sustained high-volume SSH connections from a single source IP with abnormally large data transfer attempts; SSH sessions that remain open indefinitely without completing data transfer.
  • Process: Go-based SSH server processes showing 100% CPU utilization on one or more goroutines; process hangs or unresponsiveness correlated with active SSH sessions.
  • Logs: SSH server logs showing sessions that open channels but never close them; application logs indicating stalled or non-progressing write operations on SSH channels.
  • System: Elevated system load average without corresponding legitimate workload; SSH service becoming unresponsive to new connection attempts due to resource exhaustion.

軽減策と回避策

The primary remediation is to upgrade golang.org/x/crypto to version 0.52.0 or later, which fixes the integer overflow by using int64 for the size comparison (pkg.go.dev). Downstream projects such as rclone, Portainer (fixed in 2.39.3), and Pulumi Kubernetes have already released updates incorporating the patched library (Portainer Release). As a temporary workaround, implement network-level rate limiting or connection limits on SSH services, and consider adding application-level timeouts for SSH write operations to prevent indefinite blocking. Amazon Linux 2, Amazon Linux 2023, and openSUSE have also issued security advisories with updated packages (Amazon Linux, openSUSE).

コミュニティの反応

The Go security team disclosed the vulnerability via the golang-announce mailing list and published a detailed advisory in the Go vulnerability database (golang-announce). The oss-sec mailing list also carried the disclosure, prompting awareness in the open-source security community (oss-sec). Multiple Linux distributions including openSUSE and Amazon Linux issued security advisories, and several downstream Go projects rapidly released patched versions, reflecting the broad reach of the golang.org/x/crypto library in the ecosystem.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 cAdvisor 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
いいえはいJul 08, 2026
CVE-2026-42306HIGH7.2
  • cAdvisor logocAdvisor
  • paketo-buildpacks-miniconda
いいえはいJun 12, 2026
CVE-2026-41568MEDIUM6.1
  • cAdvisor logocAdvisor
  • beats-fips-9.4
いいえはいJun 12, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
いいえはいJul 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • gpu-operator-26.3
いいえはいJul 01, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者