CVE-2026-39835: Remote Denial of Service via Null Pointer Dereference in Go SSH CertChecker

The Go programming language provides a standard library subrepository golang.org/x/crypto/ssh for building custom secure shell (SSH) servers and clients. In enterprise ecosystems, custom Go-based SSH endpoints are widely deployed to handle automated tasks, secure file transfer interfaces, developer gateways, and infrastructure control planes. The cryptographic library relies on modular structures and callback functions to delegate authority verification to application-level logic.

One such critical structure is the CertChecker utility, which implements standard SSH certificate validation rules. It contains specific field hooks for validating user authorities and host authorities, namely the IsUserAuthority and IsHostAuthority callback functions. When an incoming client presents a certificate to a server or host validation occurs, the server relies on these hooks to decide whether the signing entity is trusted.

The vulnerability designated as CVE-2026-39835 is a classic null pointer dereference weakness (CWE-476) residing in the core certificate verification routines. Because Go allows partial structure initialization, applications can instantiate CertChecker without defining these function variables, leaving them with default nil values. When a remote, unauthenticated connection attempts to perform certificate authentication, the package dereferences the nil variable, causing an unhandled panic that terminates the entire host program.

To understand the root cause, one must examine the behavior of structure allocation and zero-values in Go. In the ssh package, CertChecker is designed as a modular validator. It defines function fields such as IsUserAuthority which returns a boolean. If an application developer initializes CertChecker as part of an SSH server's public key callback configuration but fails to populate the callback fields, Go sets these pointers to nil.

The library lacks prior defensive validation before invoking these callback functions. During the handshake sequence, when a user presents an SSH certificate, the execution flow is routed into the CertChecker.Authenticate method. This method extracts the signature key of the certificate and immediately attempts to call c.IsUserAuthority(cert.SignatureKey).

In Go, invoking a function variable that contains a nil address initiates an immediate runtime panic. While normal errors are returned as values, a panic is an exceptional control flow event. Because individual SSH connections are executed inside separate, concurrent background goroutines managed by the Go runtime, an unrecovered panic in any single goroutine is not isolated. Instead, it propagates upwards and crashes the entire application process, leading to immediate denial of service.

The vulnerable implementation inside ssh/certs.go failed to perform guard checks prior to dispatching validation parameters to application-defined function pointers. The functions CheckHostKey and Authenticate directly invoke c.IsHostAuthority and c.IsUserAuthority respectively. Below is a conceptual representation of the vulnerable pathways:

// Vulnerable implementation in ssh/certs.go
func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key PublicKey) error {
    // ... cert type validation checks ...
    // The following call is executed without a nil safety guard
    if !c.IsHostAuthority(cert.SignatureKey, addr) {
        return fmt.Errorf("ssh: no authorities for hostname: %v", addr)
    }
    // ... rest of validation ...
}

The following patch introduces structural safety guards within ssh/certs.go under CL 781660. The modification checks the validity of the function pointers before execution and returns standard error objects:

// Patched implementation in ssh/certs.go
if cert.CertType != HostCert {
    return fmt.Errorf("ssh: certificate presented as a host key has type %d", cert.CertType)
}
// Explicit safety check added to prevent null pointer dereference
if c.IsHostAuthority == nil {
    return errors.New("ssh: cannot verify certificate, IsHostAuthority not set")
}
if !c.IsHostAuthority(cert.SignatureKey, addr) {
    return fmt.Errorf("ssh: no authorities for hostname: %v", addr)
}

A parallel guard block was introduced within CertChecker.Authenticate to secure the IsUserAuthority callback. These checks successfully transform an unhandled runtime crash vector into a manageable, loggable error state. The patch is considered highly complete as it thoroughly resolves both vulnerable execution pathways inside the package.

Exploitation of CVE-2026-39835 requires minimal sophistication and can be initiated by a remote, unauthenticated attacker. The target server must be configured to use CertChecker within its SSH server configuration, and the fields must be left uninitialized. This scenario occurs when developers assume that leaving fields blank acts as a default rejection rather than an unhandled code path.

An attacker begins by establishing a raw TCP connection to the exposed SSH listener port of the target. Once the TCP socket is open, the client sends an SSH identification string to negotiate the protocol version. After completing the initial key exchange, the client transitions to the user authentication phase by sending an SSH_MSG_USERAUTH_REQUEST message specifying public key authentication.

Instead of offering a traditional RSA or Ed25519 public key, the attacker offers an SSH certificate. When the server processes this certificate, it delegates verification to CertChecker.Authenticate. The Go runtime immediately attempts to execute the nil pointer, generating a fatal panic on the server console and terminating the process. No state changes, file writes, or memory corruption occur; the attack is purely focused on service disruption.

The severity of CVE-2026-39835 is classified as Medium, with a CVSS v3.1 base score of 5.3. The impact is limited strictly to system availability, with no risk of confidentiality breach or unauthorized modifications. However, in modern cloud-native environments, the actual operational impact can be severe depending on application monitoring and restart configurations.

Because many critical operations rely on Go-based infrastructure utilities like HashiCorp Vault, Docker registries, or Gitea code servers, crashing the service disrupts dependent continuous integration and deployment pipelines. If the target application lacks a reliable container orchestrator or process supervisor to restart the crashed binary, the denial of service remains permanent until manual administrator intervention.

Even if an automated system restarts the service, repeated exploitation attempts can generate a continuous loop of process restarts. This continuous loop degrades hardware performance, floods log streams with unhandled core dumps, and prevents legitimate connections. The ease of remote execution makes it a high-priority target for automated denial of service scripts.

The primary and recommended solution is to upgrade the golang.org/x/crypto package to version v0.52.0 or higher. Developers can execute the standard dependency update commands to pull the latest version of the subrepository. This update integrates the safety verification guards into the application compilation tree automatically.

In environments where upgrading the library is not immediately possible, application-level workarounds can prevent the panic. Developers must audit their SSH configurations to guarantee that CertChecker instances never contain nil fields. Even if certificate verification is not supported, the fields should be explicitly defined with safe fallback functions that reject all inputs.

// Application-level safety workaround
checker := &ssh.CertChecker{
    IsUserAuthority: func(auth ssh.PublicKey) bool {
        return false
    },
    IsHostAuthority: func(auth ssh.PublicKey, address string) bool {
        return false
    },
}

Additionally, integration of automated detection tooling such as govulncheck helps security teams locate vulnerable references during compilation or automated continuous integration builds. Network-level controls, such as rate limiting and IP access lists, should be deployed to restrict SSH port exposure to trusted actors.