CVE-2026-42508 - Go x/crypto knownhosts revoked CA bypass
golang.org/x/crypto/ssh/knownhosts before 0.52.0 did not correctly enforce
@revoked status on a revoked CA SignatureKey. That let affected clients
accept a host certificate path that should have been rejected.
This is a host-authentication trust failure in custom SSH clients that rely on
knownhosts validation for certificate-based trust decisions.
When to use it
Use this recipe when a Go service, CLI, Git mirror, deployment tool, or agent
runner uses golang.org/x/crypto/ssh/knownhosts to validate SSH host keys or
certificates, especially where revoked certificate authorities are part of the
trust model. It is designed for source-code remediation, known-hosts trust-root
review, revoked-CA regression testing, and evidence that SSH connections fail
closed after CA revocation.
Inputs
golang.org/x/cryptoversion, Go module/vendor state, known_hosts files, trusted/revoked CA entries, SSH client wrappers, Git/deploy mirror configs, and generated dependency or SBOM reports.- Source/config paths that call
knownhosts.New, build SSH host-key callbacks, load known_hosts data, manage CA revocation, or connect to SSH remotes. - Regression fixtures for trusted CA success, revoked CA denial, raw host-key success, host mismatch, malformed known_hosts lines, and no live SSH traffic.
- Boundary evidence: SSH remotes, mirror/deploy credentials, host-key ownership, revocation process, logs, credential rotation owner, and rollout owner.
Affected versions
- Vulnerable:
golang.org/x/crypto/ssh/knownhosts <0.52.0 - Fixed:
0.52.0+ - Affected surface: SSH client host verification using
knownhosts
Indicator-of-exposure
- The repository resolves
golang.org/x/crypto <0.52.0. - Client code uses
knownhostsfor host-certificate validation. - Trust policy depends on revoked CA entries in known_hosts files.
Quick checks:
rg -n "knownhosts|@revoked|SignatureKey|HostKeyCallback|CertChecker" .
go list -m all | rg "golang.org/x/crypto"
Windows:
rg -n "knownhosts|@revoked|SignatureKey|HostKeyCallback|CertChecker" .
go list -m all | rg "golang.org/x/crypto"
Remediation strategy
- Upgrade
golang.org/x/cryptoto0.52.0+. - Re-audit SSH host trust logic for revoked CA handling.
- Refresh or review known_hosts policy if revoked CA state was expected to block hostile certificates.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-42508 / GHSA-5cgq-3rg8-m6cv in Go SSH client code.
Revoked CA SignatureKey status is not enforced correctly. Produce exactly one
output:
- A reviewer-ready PR/change request that upgrades `golang.org/x/crypto`,
hardens host verification, adds regression tests, and documents trust-policy
review, or
- TRIAGE.md if this repository does not control an affected SSH client path.
## Rules
- Scope only CVE-2026-42508 and directly related host-verification logic.
- Treat known_hosts files, certificate authorities, and trust anchors as
sensitive.
- Do not connect to attacker-controlled SSH endpoints.
- Do not auto-merge.
## Steps
1. Inventory every Go module and binary controlled here that uses
`knownhosts`.
2. Confirm whether any resolved version is `<0.52.0`.
3. Trace SSH host verification and revocation policy.
4. If no affected client path is controlled here, stop with `TRIAGE.md`.
5. Upgrade to `0.52.0+` and refresh module metadata and images.
6. Add regression tests proving revoked CA `SignatureKey` paths are rejected.
7. Add a PR body section named `CVE-2026-42508 operator actions` covering
versions before and after, trust paths audited, and validation that passed.
8. Run available validation: `go test`, builds, and dependency/security scans.
9. Use PR title:
`fix(sec): remediate Go knownhosts revoked CA bypass`.
Output contract
- A reviewer-ready PR or change request that upgrades
golang.org/x/crypto, refreshes modules/vendor state, adds revoked-CA knownhosts regression tests, and documents SSH trust/credential review. - Or a
TRIAGE.mdfile that lists inspected modules/config/call sites, owner, observed version, knownhosts CA trust boundary, required fix, and residual risk. - The output must include exact validation commands and must not intercept live SSH traffic, expose deploy keys, mutate known_hosts in production, or weaken host-key verification.
Verification - what the reviewer looks for
- No controlled binary resolves
golang.org/x/crypto/ssh/knownhosts <0.52.0. - Revoked CA host-certificate paths are rejected in tests.
- Host verification logic is not silently trusting revoked certificate signers.
Watch for
- Upgrading one module while another binary vendors the old package.
- Testing ordinary key revocation but not revoked CA
SignatureKeycases.
Related recipes
- Source code supply chain build integrity audit
- Source code secrets and data exposure audit
- Source code attack surface map
- SAST finding triage and fix
References
- GitHub Advisory: https://github.com/advisories/GHSA-5cgq-3rg8-m6cv
- Go issue: https://go.dev/issue/79568
- Go fix: https://go.dev/cl/781220
- Go vuln entry: https://pkg.go.dev/vuln/GO-2026-5021