CVE-2026-46598 is a vulnerability in the Go standard library package golang.org/x/crypto/ssh/agent, where supplying malformed or pathological inputs can cause a client application to panic and crash. This affects any service or tooling built with this SSH agent library, including Azure-hosted workloads that rely on Go-based SSH clients. The practical risk is denial of service, where an attacker able to send crafted SSH agent messages can bring down affected processes.

Architect’s Take: Audit your Azure workloads and internal tooling for any Go applications using golang.org/x/crypto/ssh/agent and update the dependency to a patched version immediately; pay particular attention to internet-facing SSH automation, CI/CD pipelines, and bastion host tooling where untrusted input could reach the SSH agent.

Original advisory: CVE-2026-46598 Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

CVE-2026-27136 is a Cross-Site Scripting (XSS) vulnerability in the Go standard library package golang.org/x/net/html, triggered by invoking duplicate HTML attributes during parsing. An attacker able to influence HTML content processed by an affected Go application could inject malicious scripts into users’ browsers. This is particularly relevant to cloud-hosted Go applications and services built on Azure that rely on this library for HTML handling.

Architect’s Take: Audit your Azure-hosted Go applications and container images for use of golang.org/x/net/html and update to the patched version immediately; also review your software composition analysis (SCA) tooling to ensure this transitive dependency is flagged across all pipelines.

Original advisory: CVE-2026-27136 Invoking duplicate attributes can cause XSS in golang.org/x/net/html

CVE-2026-42506 is a vulnerability in the golang.org/x/net/html package where namespaced elements in foreign content (such as SVG or MathML within HTML) are handled incorrectly, potentially allowing malformed input to bypass parsing expectations. This could be exploited to conduct cross-site scripting (XSS) or HTML injection attacks in applications that rely on this Go library for HTML parsing or sanitisation. It is particularly relevant to Azure-hosted Go applications and services that process user-supplied HTML content.

Architect’s Take: Audit your Azure workloads and container images for any Go applications using golang.org/x/net/html and update to the patched version of the package immediately. Pay particular attention to services that parse or sanitise untrusted HTML input, as these are at greatest risk of exploitation.

Original advisory: CVE-2026-42506 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

CVE-2026-25681 is a vulnerability in the Go standard library package golang.org/x/net/html, where character references within DOCTYPE nodes are handled incorrectly. This can lead to unexpected parsing behaviour that may be exploited to bypass security controls or cause application-level issues in services built with Go. It is relevant to Azure and any cloud-hosted workload using this widely adopted Go HTML parsing library.

Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version as soon as it is available. Pay particular attention to services that parse untrusted HTML input, as these carry the highest exploitation risk.

Original advisory: CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

A memory leak vulnerability in the Go standard library’s SSH package (golang.org/x/crypto/ssh) can be triggered when SSH channels are rejected, potentially allowing an attacker to exhaust server memory and cause a Denial of Service. This affects any service or application built with the affected Go crypto library, including Azure-hosted workloads. Because SSH is a foundational protocol for remote access and automation, the blast radius across cloud infrastructure can be significant.

Architect’s Take: Audit your Azure workloads and internal tooling for services built with golang.org/x/crypto/ssh and prioritise patching to a fixed version of the library. Pay particular attention to any internet-facing SSH endpoints or Go-based automation pipelines, and consider rate-limiting or connection throttling as a short-term mitigation.

Original advisory: CVE-2026-39827 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

CVE-2026-39835 is a vulnerability in the Go standard cryptography library (golang.org/x/crypto/ssh) that allows a remote attacker to trigger a server panic — effectively crashing the SSH server — during the host key check or authentication phase. This is a denial-of-service risk affecting any service or application built with this Go SSH package, including components deployed on Azure. It matters because a crash during authentication can be exploited without valid credentials, making it trivially weaponisable.

Architect’s Take: Audit your Azure workloads and internal tooling for applications built with golang.org/x/crypto/ssh and prioritise patching to a fixed version of the library. Pay particular attention to Go-based microservices, infrastructure tooling, and any Azure-hosted SSH gateways or bastion services that may use this package.

Original advisory: CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

CVE-2026-25680 is a denial-of-service vulnerability in the golang.org/x/net/html package, which is widely used by Go applications to parse HTML. An attacker can trigger the flaw by supplying specially crafted HTML input, causing the parser to consume excessive resources and crash or become unresponsive. Any Azure-hosted or Azure-integrated Go application that processes untrusted HTML content may be at risk.

Architect’s Take: Audit your Go-based workloads and container images for dependencies on golang.org/x/net and update to the patched version immediately; pay particular attention to internet-facing services that accept user-supplied or third-party HTML input, as these are the most directly exposed.

Original advisory: CVE-2026-25680 Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

CVE-2026-42502 is a vulnerability in the golang.org/x/net/html package affecting how HTML elements in foreign content (such as SVG or MathML) are handled. Incorrect parsing behaviour could potentially be exploited to bypass security controls or cause unintended application behaviour in Go-based services. This is relevant to Azure workloads and any cloud-hosted applications built with Go that rely on this HTML parsing library.

Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version immediately. Pay particular attention to services that parse or render user-supplied HTML, as these carry the highest risk of exploitation.

Original advisory: CVE-2026-42502 Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

CVE-2026-39828 is a vulnerability in the golang.org/x/crypto/ssh package that allows an attacker to bypass certificate-based restrictions in SSH connections. This could permit unauthorised access to systems that rely on SSH certificate validation as a security control. Services and applications built on Go that use this library for SSH communication — including Azure-hosted workloads — may be affected.

Architect’s Take: Audit any Go-based services deployed in your Azure environment that use golang.org/x/crypto/ssh for SSH connectivity, and update to the patched version of the library as soon as it is available. Pay particular attention to internal tooling, CI/CD pipelines, and infrastructure automation that may authenticate via SSH certificates.

Original advisory: CVE-2026-39828 Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh