CVE-2026-39830
Publication date 22 May 2026
Last updated 19 June 2026
Ubuntu priority
Description
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| golang-go.crypto | 26.04 LTS resolute |
Fixed 1:0.47.0-1ubuntu0.1~esm1
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Fixed 1:0.19.0-1ubuntu0.1~esm2
|
|
| 22.04 LTS jammy |
Fixed 1:0.0~git20211202.5770296-1ubuntu0.1~esm2
|
|
| 20.04 LTS focal |
Fixed 1:0.0~git20200221.2aa609c-1ubuntu0.1~esm2
|
|
| 18.04 LTS bionic |
Fixed 1:0.0~git20170629.0.5ef0053-2ubuntu0.1~esm2
|
|
| 16.04 LTS xenial |
Fixed 1:0.0~git20151201.0.7b85b09-2ubuntu0.1~esm2
|
|
| lxd | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Fixed 3.0.3-0ubuntu1~18.04.2+esm3
|
|
| 16.04 LTS xenial |
Fixed 2.0.11-0ubuntu1~16.04.4+esm3
|
|
| google-guest-agent | 26.04 LTS resolute |
Vulnerable
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| snapd | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
Severity score breakdown
CVSS version: CVSS v3.0
Base score
9.1 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8447-2
- LXD vulnerabilities
- 18 June 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-39830
- https://go.dev/issue/79564
- https://groups.google.com/g/golang-announce/c/a082jnz-LvI
- https://go.dev/cl/781640
- https://go.dev/cl/781664
- https://pkg.go.dev/vuln/GO-2026-5017
- https://github.com/golang/crypto/commit/4e7a7384ecbc8d519f6f4c11b36fa9d761fc8946