CVE-2022-27191 in Googleinfo

Summary

by MITRE • 03/18/2022

golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 11/30/2025

The vulnerability identified as CVE-2022-27191 affects the Go programming language's ssh package within the crypto module, specifically impacting versions prior to 0.0.0-20220314234659-1baeb1ce4c0b. This issue manifests in Go versions through 1.16.15 and 1.17.x through 1.17.8, creating a potential denial of service condition that can be exploited by remote attackers. The vulnerability is particularly concerning because it allows an attacker to cause a server crash through specific interactions with the AddHostKey function, which is a fundamental component of SSH server implementations in Go applications.

The technical flaw resides in how the ssh package handles host key additions, specifically when the AddHostKey function processes certain malformed or unexpected inputs. This function is used by SSH servers to add host keys to their configuration, but due to inadequate input validation and error handling mechanisms, an attacker can craft malicious inputs that trigger a panic or crash within the Go runtime. The vulnerability operates through a path where the server's internal state becomes corrupted during host key processing, leading to an unhandled exception that terminates the SSH service. This behavior aligns with CWE-248, which describes an unchecked exception in software systems, and represents a classic example of improper error handling that can lead to system instability.

The operational impact of this vulnerability is significant for organizations running SSH servers implemented in Go, as it creates a straightforward method for remote attackers to perform denial of service attacks against critical infrastructure. An attacker could exploit this vulnerability to repeatedly crash SSH servers, disrupting legitimate remote access operations and potentially causing service interruptions that affect business continuity. The vulnerability's exploitation requires minimal technical expertise, making it particularly dangerous as it can be leveraged by attackers with basic knowledge of SSH protocols and Go application structures. This type of vulnerability also aligns with ATT&CK technique T1499.004, which covers network denial of service attacks, and represents a critical weakness in system availability that can be easily weaponized.

Organizations should immediately update their Go applications to versions that include the patched ssh package, specifically targeting releases that incorporate the fix for the AddHostKey function. The recommended mitigation strategy involves upgrading to Go 1.16.16 or 1.17.9, which contain the necessary patches to address the vulnerability. Additionally, system administrators should implement monitoring for unusual SSH service disruptions and consider implementing rate limiting or input validation measures at network boundaries to reduce the attack surface. Security teams should also review their Go application deployments to ensure all instances of the vulnerable ssh package are updated, as this vulnerability affects any server implementation that relies on the affected Go crypto/ssh module. The fix addresses the underlying error handling issue by implementing proper validation of host key inputs and ensuring that malformed data does not cause the runtime to panic, thereby maintaining system stability and availability.

Reservation

03/15/2022

Disclosure

03/18/2022

Moderation

accepted

CPE

ready

EPSS

0.03931

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!