CVE-2026-39831: Authentication Bypass in golang.org/x/crypto/ssh via FIDO/U2F User Presence Bypass

The Go standard sub-repository module golang.org/x/crypto/ssh provides implementations of SSH client and server protocols. This module supports hardware-backed FIDO/U2F security keys, including sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com key types. These key types secure authentication by requiring physical confirmation from the user during the signing process.

The SSH protocol utilizes the security key to generate signatures that assert user presence. The vulnerability, tracked as CVE-2026-39831, resides in the signature validation logic. The package accepted signatures where the User Presence flag was not set, violating the FIDO/U2F protocol specification.

This logical omission allows for silent, unattended cryptographic operations. If an attacker gains unauthorized logical access to an active security key, they can authenticate to upstream SSH servers without triggering physical interaction alerts on the user's hardware token.

FIDO/U2F hardware security keys include an authenticator data flags byte within their signature payload. The least significant bit (bit 0, value 0x01) represents the User Presence (UP) flag. Hardware keys set this flag when a user performs a physical interaction, such as tapping or touching the key.

In vulnerable versions of golang.org/x/crypto/ssh, the Verify() method implemented for skECDSAPublicKey and skEd25519PublicKey parsed signature payloads into the internal structure skFields. The definition of skFields contains a Flags field of type byte. However, the validation loop failed to execute a bitwise AND operation (Flags & 0x01) to assert the presence of the UP bit.

As a consequence of this logical gap, the SSH server validated only the outer cryptographic signature. The server assumed that any signature generated by the hardware token implied physical touch. Because hardware keys can generate signatures without touch under specific administrative policies, the absence of this programmatic check created a mechanism to bypass physical confirmation entirely.

The root cause resides in ssh/keys.go, where the validation logic ignored the parsed flags. The patch committed in Gerrit Change List 781662 introduces a constant flagUserPresence and a corresponding validation step in both ECDSA and Ed25519 security key verification logic.

// Constant defined in the patch
const flagUserPresence = 0x01
 
var errSKMissingUserPresence = errors.New("ssh: signature missing required user presence flag")

The Verify methods are updated to enforce this check. If the signature lacks the user presence flag and the key is not explicitly designated to bypass it, verification returns errSKMissingUserPresence:

// Vulnerable vs. Patched Verification Logic
func (k *skECDSAPublicKey) Verify(data []byte, sig *Signature) error {
    // [Parsing logic matches skFields]
    
    // PATCH: Validate presence of the UP bit
    if skf.Flags&flagUserPresence == 0 && !k.noTouchRequired {
        return errSKMissingUserPresence
    }
    
    // Reconstruct signed blob and verify cryptographic signature
    return verifyECDSA(k.PublicKey, blob, sig)
}

To retain compatibility with OpenSSH implementations that support non-interactive automation, the patch introduces the helper function noTouchAllowed. This function checks if the `

Exploitation of CVE-2026-39831 does not require complex cryptographic manipulation, but rather leverages the structural omission of the security flag. An attacker who has achieved logical access to a user's environment can utilize a compromised SSH agent or direct connection to a forwarded socket to perform an authentication attempt.

When a standard FIDO credential challenge is received, the attacker interacts with the token interface to request a signature with user presence set to false. Because the Go SSH library fails to inspect the flag, the connection is authorized automatically. This bypasses the multi-factor guarantee of physical presence, reverting the security model back to single-factor logical authentication.

The security implications of bypassing User Presence verification are severe. Hardware security keys are deployed to guarantee that remote attackers cannot use stolen cryptographic material without a physical gesture. This vulnerability completely invalidates that defense-in-depth design.

The Common Vulnerability Scoring System (CVSS) v3.1 base score is calculated as 9.1 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. Because the user interaction is programmatically bypassed, the User Interaction (UI) component of the vector drops from Required (R) to None (N).

If automated SSH administrative frameworks utilize vulnerable versions of this library, they are exposed to remote compromise. An attacker capable of intercepting authentication requests can establish persistent unauthorized administrative channels.

The primary remediation strategy is upgrading the golang.org/x/crypto dependency to version v0.52.0 or higher. This upgrade ensures that the golang.org/x/crypto/ssh package implements strict validation of the User Presence flag by default.

If upgrading immediately is not possible, security teams must audit their environments for the use of `