CVE-2026-39831
EUVD-2026-3139522.05.2026, 04:16
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| golang | crypto | 𝑥 < 0.52.0 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| amazon-ssm-agent |
| ||||||||||||||||
| apptainer |
| ||||||||||||||||
| apptainer-sle15_6 |
| ||||||||||||||||
| buildah |
| ||||||||||||||||
| google-guest-agent |
| ||||||||||||||||
| google-osconfig-agent |
|
Amazon Linux Releases
Amazon Package | |||||
|---|---|---|---|---|---|
| amazon-cloudwatch-agent |
| ||||
| containerd |
| ||||
| containerd-debuginfo |
| ||||
| containerd-debugsource |
| ||||
| containerd-stress |
| ||||
| containerd-stress-debuginfo |
| ||||
| docker |
| ||||
| docker-debuginfo |
| ||||
| docker-debugsource |
| ||||
| nerdctl |
| ||||
| nerdctl-debuginfo |
| ||||
| rclone |
| ||||
| rclone-debuginfo |
| ||||
| rclone-debugsource |
| ||||
| runfinch-finch |
|
Common Weakness Enumeration
Vulnerability Media Exposure