SSH servers which use CertChecker as a public key
callback without setting IsUserAuthority or
IsHostAuthority could be caused to panic by a
client presenting a certificate. CertChecker now
returns an error instead of panicking when these
callbacks are nil.
Thanks to NCC Group Cryptography Services, sponsored by Teleport for reporting this issue.
This is CVE-2026-39835 and Go issue https://go.dev/issue/79563.
This was a PRIVATE track issue, tracked in http://b/503003289.
SSH servers which use CertChecker as a public key
callback without setting IsUserAuthority or
IsHostAuthority could be caused to panic by a
client presenting a certificate. CertChecker now
returns an error instead of panicking when these
callbacks are nil.
Thanks to NCC Group Cryptography Services, sponsored by Teleport for reporting this issue.
This is CVE-2026-39835 and Go issue https://go.dev/issue/79563.
This was a PRIVATE track issue, tracked in http://b/503003289.