Rod Hynes

**Name of the Vulnerable Software and Affected Versions** golang.org/x/crypto/ssh package versions prior to 0.0.0-20211202192323-5770296d904e **Description** The issue is related to insufficient input validation in the golang.org/x/crypto/ssh package, which can be exploited by a remote attacker to cause a denial of service. Specifically, when using AES-GCM or ChaCha20Poly1305, consuming a malformed packet with an empty plaintext can cause a panic in the SSH server. An unauthenticated attacker can exploit this to panic the SSH server. **Recommendations** For versions prior to 0.0.0-20211202192323-5770296d904e, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the SSH server or implementing additional validation on incoming packets to minimize the risk of exploitation.