CVE-2026-39834
Critical
Published: 22 May 2026
Published
22 May 2026
Modified
28 May 2026
KEV Added
—
Patch
—
CVSS Score v3.1
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score
0.0047
37.0th percentile
Summary
CVE-2026-39834 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Golang Crypto. Its CVSS base score is 9.1 (Critical).
Operationally, ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31400
Vulnerability details
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison…
more
now uses int64 to prevent truncation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.Confidence: LOW · MITRE ATT&CK Enterprise v19.0
Affected Assets
golang
crypto
≤ 0.52.0
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.