// #golang

2 articles

Golang crypto/ssh Mass Advisory: Nine CVEs Including CVSS 10.0 Re-Opened SSH Auth Bypass Affect Enterprise DevOps Infrastructure

The Go security team published a coordinated batch of nine CVE fixes for the golang.org/x/crypto SSH library on 22 May, including CVE-2026-46595 (CVSS 10.0), which re-opens a previously patched SSH authentication bypass for services using non-public-key authentication callbacks. Enterprise environments using Go-based SSH tooling, CI/CD pipelines, Kubernetes components, and cloud management tooling are affected.

May 22, 2026 #golang +8

⚖️ Risk Mgmt

Nine CVEs in One Go Cryptography Library: What Mass Advisories in Open-Source Crypto Mean for Enterprise Risk Management

The nine-CVE golang.org/x/crypto advisory is the latest in a pattern of mass security advisories from widely used open-source cryptographic libraries. For enterprise risk managers, the recurring pattern raises questions about how dependency-level cryptography risk is assessed, tracked, and communicated — and whether current SCA tooling is adequate for the velocity of advisory publication.

May 22, 2026 #open-source +7

Commentary tagged #golang

Opinion

Mass Open-Source Cryptography Advisories Are Becoming the New Normal — and the Industry Isn't Ready

The nine-CVE golang.org/x/crypto advisory follows a pattern that is accelerating: coordinated mass advisories in foundational open-source cryptographic libraries that affect thousands of downstream applications simultaneously. The industry's response tooling and processes have not kept pace with the advisory volume or the structural complexity of transitive dependency exposure.

CipherWatch Editorial

Security Intelligence Platform

May 22, 2026