PT-2022-6957 · Unknown+3 · Golang.Org/X/Crypto/Ssh+3

Rod Hynes

Published

2022-01-10

Updated

2025-10-11

CVE-2021-43565

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions golang.org/x/crypto/ssh package versions prior to 0.0.0-20211202192323-5770296d904e

Description The issue is related to insufficient input validation in the golang.org/x/crypto/ssh package, which can be exploited by a remote attacker to cause a denial of service. Specifically, when using AES-GCM or ChaCha20Poly1305, consuming a malformed packet with an empty plaintext can cause a panic in the SSH server. An unauthenticated attacker can exploit this to panic the SSH server.

Recommendations For versions prior to 0.0.0-20211202192323-5770296d904e, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the SSH server or implementing additional validation on incoming packets to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

AZL-43338

AZL-43341

AZL-43344

AZL-43347

AZL-43348

BDU:2023-05839

CVE-2021-43565

GHSA-GWC9-M7RH-J2WW

GO-2022-0968

OPENSUSE-SU-2022:0040-1

OPENSUSE-SU-2022:0526-1

OPENSUSE-SU-2022_0040-1

OPENSUSE-SU-2022_0526-1

OPENSUSE-SU-2022_1689-1

OPENSUSE-SU-2024:11735-1

OPENSUSE-SU-2024:12034-1

OPENSUSE-SU-2025:15589-1

RHSA-2022:1276

RHSA-2022:1361

RHSA-2022:5068

SUSE-SU-2022:0040-1

SUSE-SU-2022:0130-1

SUSE-SU-2022:0526-1

SUSE-SU-2022:1507-1

SUSE-SU-2022:1689-1

SUSE-SU-2022_0040-1

SUSE-SU-2022_0130-1

SUSE-SU-2022_0526-1

SUSE-SU-2022_1507-1

SUSE-SU-2022_1689-1

SUSE-SU-2025:03540-1

SUSE-SU-2025:03545-1

Affected Products

Astra Linux

Debian

Suse

Golang.Org/X/Crypto/Ssh

PT-2022-6957 · Unknown+3 · Golang.Org/X/Crypto/Ssh+3

CVE-2021-43565

Weakness Enumeration

Related Identifiers

Affected Products

References · 294