When adding a key to a remote agent constraint extensions
such as restrict-destination-v00@openssh.com were not
serialized in the request. Destination restrictions were
silently stripped when forwarding keys, allowing unrestricted
use of the key on the remote host. The client now serializes
all constraint extensions. Additionally, the in-memory keyring
returned by NewKeyring() now rejects keys with unsupported
constraint extensions instead of silently ignoring them.
Thanks to NCC Group Cryptography Services, sponsored by Teleport for reporting this issue.
This is CVE-2026-39832 and Go issue https://go.dev/issue/79435.
This was a PUBLIC track issue, tracked in http://b/503003280.
When adding a key to a remote agent constraint extensions
such as restrict-destination-v00@openssh.com were not
serialized in the request. Destination restrictions were
silently stripped when forwarding keys, allowing unrestricted
use of the key on the remote host. The client now serializes
all constraint extensions. Additionally, the in-memory keyring
returned by NewKeyring() now rejects keys with unsupported
constraint extensions instead of silently ignoring them.
Thanks to NCC Group Cryptography Services, sponsored by Teleport for reporting this issue.
This is CVE-2026-39832 and Go issue https://go.dev/issue/79435.
This was a PUBLIC track issue, tracked in http://b/503003280.