Ssh

🟠 High | Source: Microsoft Security Response Center CVE-2026-46598 is a vulnerability in the Go standard library package golang.org/x/crypto/ssh/agent, where supplying malformed or pathological inputs can cause a client application to panic and crash. This affects any service or tooling built with this SSH agent library, including Azure-hosted workloads that rely on Go-based SSH clients. The practical risk is denial of service, where an attacker able to send crafted SSH agent messages can bring down affected processes. ...

🟠 High | Source: Microsoft Security Response Center A memory leak vulnerability in the Go standard library’s SSH package (golang.org/x/crypto/ssh) can be triggered when SSH channels are rejected, potentially allowing an attacker to exhaust server memory and cause a Denial of Service. This affects any service or application built with the affected Go crypto library, including Azure-hosted workloads. Because SSH is a foundational protocol for remote access and automation, the blast radius across cloud infrastructure can be significant. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-39835 is a vulnerability in the Go standard cryptography library (golang.org/x/crypto/ssh) that allows a remote attacker to trigger a server panic — effectively crashing the SSH server — during the host key check or authentication phase. This is a denial-of-service risk affecting any service or application built with this Go SSH package, including components deployed on Azure. It matters because a crash during authentication can be exploited without valid credentials, making it trivially weaponisable. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-39828 is a vulnerability in the golang.org/x/crypto/ssh package that allows an attacker to bypass certificate-based restrictions in SSH connections. This could permit unauthorised access to systems that rely on SSH certificate validation as a security control. Services and applications built on Go that use this library for SSH communication — including Azure-hosted workloads — may be affected. Architect’s Take: Audit any Go-based services deployed in your Azure environment that use golang.org/x/crypto/ssh for SSH connectivity, and update to the patched version of the library as soon as it is available. Pay particular attention to internal tooling, CI/CD pipelines, and infrastructure automation that may authenticate via SSH certificates. ...

🟠 High | Source: Microsoft Security Response Center A vulnerability in OpenSSH versions before 10.3 (CVE-2026-35414) means the authorised_keys principals option is not handled correctly in certain edge cases where a principals list is combined with a Certificate Authority that uses comma characters in specific ways. This could allow unintended principals to authenticate, potentially granting unauthorised SSH access to affected systems. The issue is particularly relevant to cloud environments where certificate-based SSH authentication is used at scale. ...