GHSA-78MQ-XCR3-XM33 golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil...

GHSA-9M57-25V3-79X9 golang.org/x/crypto/ssh/agent: Invoking pathological inputs can lead to client panic

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used...

ROOT-APP-GOBINARY-CVE-2026-42306 CVE-2026-42306 in rootio-github.com/docker/docker - Patched by Root

Root has patched CVE-2026-42306 in the rootio-github.com/docker/docker package for Root:Go. Multiple fixed versions available...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

ROOT-APP-GOBINARY-GHSA-FW8G-CG8F-9J28 GHSA-fw8g-cg8f-9j28 in rootio-github.com/prometheus/prometheus - Patched by Root

Root has patched GHSA-fw8g-cg8f-9j28 in the rootio-github.com/prometheus/prometheus package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-22870 CVE-2025-22870 in rootio-golang.org/x/net - Patched by Root

Root has patched CVE-2025-22870 in the rootio-golang.org/x/net package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-29181 CVE-2026-29181 in rootio-go.opentelemetry.io/otel - Patched by Root

Root has patched CVE-2026-29181 in the rootio-go.opentelemetry.io/otel package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-58181 CVE-2025-58181 in rootio-golang.org/x/crypto - Patched by Root

Root has patched CVE-2025-58181 in the rootio-golang.org/x/crypto package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-27889 CVE-2026-27889 in rootio-github.com/nats-io/nats-server/v2 - Patched by Root

Root has patched CVE-2026-27889 in the rootio-github.com/nats-io/nats-server/v2 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-35469 CVE-2026-35469 in rootio-github.com/moby/spdystream - Patched by Root

Root has patched CVE-2026-35469 in the rootio-github.com/moby/spdystream package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-30204 CVE-2025-30204 in rootio-github.com/golang-jwt/jwt/v4 - Patched by Root

Root has patched CVE-2025-30204 in the rootio-github.com/golang-jwt/jwt/v4 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-32286 CVE-2026-32286 in rootio-github.com/jackc/pgproto3/v2 - Patched by Root

Root has patched CVE-2026-32286 in the rootio-github.com/jackc/pgproto3/v2 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-32285 CVE-2026-32285 in rootio-github.com/buger/jsonparser - Patched by Root

Root has patched CVE-2026-32285 in the rootio-github.com/buger/jsonparser package for Root:Go. Multiple fixed versions available...

UBUNTU-CVE-2026-40898

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

UBUNTU-CVE-2026-41178

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...

Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

Improper Authentication

Overview golang.org/x/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Improper Authentication due to the Verify method not checking the User Presence flag in FIDO/U2F security key types. An attacker can perform unauthorized authentication by generating...

GO-2026-5016 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for...

GO-2026-5023 Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped...