vulnerability context

CVE-2026-39833

CVSS 9.1 CRITICALEPSS 28%CWE-862OTX 9 pulses

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Published 2026-05-22 · last modified 2026-06-17

details

CISA KEV status: Not in catalog
CVSS v3: 9.1 / CRITICAL
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 28% percentile (score 0.0036)
CWE: CWE-862
OTX pulses: 9 total, 0 recent

View on NVD → · cve.org

source mentions 2

USN-8447-2: LXD vulnerabilitiesUbuntu Security Notices · 5d ago
CVE-2026-39833 Invoking key constraints not enforced in golang.org/x/crypto/ssh/agentMSRC Update Guide · 27d ago

source consensus

Ubuntu Security Notices1×
MSRC Update Guide1×

Want the 3-bullet summary of CVE-2026-39833, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →