CVE-2026-39833
Publication date 22 May 2026
Last updated 19 June 2026
Ubuntu priority
Description
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| golang-go.crypto | 26.04 LTS resolute |
Fixed 1:0.47.0-1ubuntu0.1~esm1
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Fixed 1:0.19.0-1ubuntu0.1~esm2
|
|
| 22.04 LTS jammy |
Fixed 1:0.0~git20211202.5770296-1ubuntu0.1~esm2
|
|
| 20.04 LTS focal |
Fixed 1:0.0~git20200221.2aa609c-1ubuntu0.1~esm2
|
|
| 18.04 LTS bionic |
Fixed 1:0.0~git20170629.0.5ef0053-2ubuntu0.1~esm2
|
|
| 16.04 LTS xenial |
Fixed 1:0.0~git20151201.0.7b85b09-2ubuntu0.1~esm2
|
|
| lxd | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Fixed 3.0.3-0ubuntu1~18.04.2+esm3
|
|
| 16.04 LTS xenial |
Fixed 2.0.11-0ubuntu1~16.04.4+esm3
|
|
| google-guest-agent | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| snapd | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
Severity score breakdown
CVSS version: CVSS v3.0
Base score
9.1 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8447-2
- LXD vulnerabilities
- 18 June 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-39833
- https://go.dev/issue/79436
- https://go.dev/cl/778640
- https://go.dev/cl/778641
- https://groups.google.com/g/golang-announce/c/a082jnz-LvI
- https://pkg.go.dev/vuln/GO-2026-5005
- https://github.com/golang/crypto/commit/0fb843a472225645e917c84f1f9744757f0bab14