CVE-2026-39832

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published May 22, 2026

Vendor unknown

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

References

https://go.dev/cl/778642
https://go.dev/issue/79435
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5006