CVE-2026-46597 - Vulnerability Details

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://go.dev/cl/781620
https://go.dev/issue/79561
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://pkg.go.dev/vuln/GO-2026-5013

History

Fri, 22 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-680 CWE-704

Fri, 22 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
Title		Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
References		https://go.dev/cl/781620 https://go.dev/issue/79561 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5013

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-05-22T02:31:26.754Z

Updated: 2026-05-22T02:31:26.754Z

Reserved: 2026-05-15T17:35:00.813Z

Link: CVE-2026-46597

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-22T04:16:26.003

Modified: 2026-05-22T04:16:26.003

Link: CVE-2026-46597

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T04:30:25Z

Metrics