CVE-2026-46598 is a vulnerability in the Go standard library package golang.org/x/crypto/ssh/agent, where supplying malformed or pathological inputs can cause a client application to panic and crash. This affects any service or tooling built with this SSH agent library, including Azure-hosted workloads that rely on Go-based SSH clients. The practical risk is denial of service, where an attacker able to send crafted SSH agent messages can bring down affected processes.

Architect’s Take: Audit your Azure workloads and internal tooling for any Go applications using golang.org/x/crypto/ssh/agent and update the dependency to a patched version immediately; pay particular attention to internet-facing SSH automation, CI/CD pipelines, and bastion host tooling where untrusted input could reach the SSH agent.

Original advisory: CVE-2026-46598 Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

A memory leak vulnerability in the Go standard library’s SSH package (golang.org/x/crypto/ssh) can be triggered when SSH channels are rejected, potentially allowing an attacker to exhaust server memory and cause a Denial of Service. This affects any service or application built with the affected Go crypto library, including Azure-hosted workloads. Because SSH is a foundational protocol for remote access and automation, the blast radius across cloud infrastructure can be significant.

Architect’s Take: Audit your Azure workloads and internal tooling for services built with golang.org/x/crypto/ssh and prioritise patching to a fixed version of the library. Pay particular attention to any internet-facing SSH endpoints or Go-based automation pipelines, and consider rate-limiting or connection throttling as a short-term mitigation.

Original advisory: CVE-2026-39827 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

CVE-2026-39835 is a vulnerability in the Go standard cryptography library (golang.org/x/crypto/ssh) that allows a remote attacker to trigger a server panic — effectively crashing the SSH server — during the host key check or authentication phase. This is a denial-of-service risk affecting any service or application built with this Go SSH package, including components deployed on Azure. It matters because a crash during authentication can be exploited without valid credentials, making it trivially weaponisable.

Architect’s Take: Audit your Azure workloads and internal tooling for applications built with golang.org/x/crypto/ssh and prioritise patching to a fixed version of the library. Pay particular attention to Go-based microservices, infrastructure tooling, and any Azure-hosted SSH gateways or bastion services that may use this package.

Original advisory: CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

CVE-2026-39828 is a vulnerability in the golang.org/x/crypto/ssh package that allows an attacker to bypass certificate-based restrictions in SSH connections. This could permit unauthorised access to systems that rely on SSH certificate validation as a security control. Services and applications built on Go that use this library for SSH communication — including Azure-hosted workloads — may be affected.

Architect’s Take: Audit any Go-based services deployed in your Azure environment that use golang.org/x/crypto/ssh for SSH connectivity, and update to the patched version of the library as soon as it is available. Pay particular attention to internal tooling, CI/CD pipelines, and infrastructure automation that may authenticate via SSH certificates.

Original advisory: CVE-2026-39828 Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

A vulnerability in OpenSSH versions before 10.3 (CVE-2026-35414) means the authorised_keys principals option is not handled correctly in certain edge cases where a principals list is combined with a Certificate Authority that uses comma characters in specific ways. This could allow unintended principals to authenticate, potentially granting unauthorised SSH access to affected systems. The issue is particularly relevant to cloud environments where certificate-based SSH authentication is used at scale.

Architect’s Take: Audit your SSH certificate infrastructure to identify any Certificate Authorities or authorised_keys configurations that use comma characters within principals lists, and prioritise upgrading OpenSSH to 10.3 or later across all Azure VMs and jump hosts. Consider enforcing certificate-based SSH access policies via Azure Policy to ensure patched versions are consistently deployed.

Original advisory: CVE-2026-35414 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.