From 9d737a6400d34e4df2212f75109bef1abec7ddaf Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Thu, 21 May 2026 23:44:13 -0700
Subject: [PATCH] fix(deps): update module golang.org/x/crypto to v0.52.0
 [security] (#37806)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) |
[`v0.51.0` →
`v0.52.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.51.0...refs/tags/v0.52.0)
|
![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fcrypto/v0.52.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fcrypto/v0.51.0/v0.52.0?slim=true)
|

---

### Invoking key constraints not enforced in
golang.org/x/crypto/ssh/agent
[CVE-2026-39833](https://nvd.nist.gov/vuln/detail/CVE-2026-39833) /
[GO-2026-5005](https://pkg.go.dev/vuln/GO-2026-5005)

<details>
<summary>More information</summary>

#### Details
The in-memory keyring returned by NewKeyring() silently accepted keys
with the ConfirmBeforeUse constraint but never enforced it. The key
would sign without any confirmation prompt, with no indication to the
caller that the constraint was not in effect. NewKeyring() now returns
an error when unsupported constraints are requested.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79436](https://go.dev/issue/79436)
- [https://go.dev/cl/778640](https://go.dev/cl/778640)
- [https://go.dev/cl/778641](https://go.dev/cl/778641)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5005) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking agent constraints dropped when forwarding keys in
golang.org/x/crypto/ssh/agent
[CVE-2026-39832](https://nvd.nist.gov/vuln/detail/CVE-2026-39832) /
[GO-2026-5006](https://pkg.go.dev/vuln/GO-2026-5006)

<details>
<summary>More information</summary>

#### Details
When adding a key to a remote agent constraint extensions such as
restrict-destination-v00@&#8203;openssh.com were not serialized in the
request. Destination restrictions were silently stripped when forwarding
keys, allowing unrestricted use of the key on the remote host. The
client now serializes all constraint extensions. Additionally, the
in-memory keyring returned by NewKeyring() now rejects keys with
unsupported constraint extensions instead of silently ignoring them.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79435](https://go.dev/issue/79435)
- [https://go.dev/cl/778642](https://go.dev/cl/778642)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5006) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking byte arithmetic causes underflow and panic in
golang.org/x/crypto/ssh
[CVE-2026-46597](https://nvd.nist.gov/vuln/detail/CVE-2026-46597) /
[GO-2026-5013](https://pkg.go.dev/vuln/GO-2026-5013)

<details>
<summary>More information</summary>

#### Details
An incorrectly placed cast from bytes to int allowed for server-side
panic in the AES-GCM packet decoder for well-crafted inputs.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79561](https://go.dev/issue/79561)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)
- [https://go.dev/cl/781620](https://go.dev/cl/781620)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5013) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking bypass of certificate restrictions in
golang.org/x/crypto/ssh
[CVE-2026-39828](https://nvd.nist.gov/vuln/detail/CVE-2026-39828) /
[GO-2026-5014](https://pkg.go.dev/vuln/GO-2026-5014)

<details>
<summary>More information</summary>

#### Details
When an SSH server authentication callback returned PartialSuccessError
with non-nil Permissions, those permissions were silently discarded,
potentially dropping certificate restrictions such as force-command
after a second factor succeeded. Returning non-nil Permissions with
PartialSuccessError now results in a connection error.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79562](https://go.dev/issue/79562)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)
- [https://go.dev/cl/781621](https://go.dev/cl/781621)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5014) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking server panic during CheckHostKey/Authenticate in
golang.org/x/crypto/ssh
[CVE-2026-39835](https://nvd.nist.gov/vuln/detail/CVE-2026-39835) /
[GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015)

<details>
<summary>More information</summary>

#### Details
SSH servers which use CertChecker as a public key callback without
setting IsUserAuthority or IsHostAuthority could be caused to panic by a
client presenting a certificate. CertChecker now returns an error
instead of panicking when these callbacks are nil.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79563](https://go.dev/issue/79563)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)
- [https://go.dev/cl/781660](https://go.dev/cl/781660)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5015) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking memory leak when rejecting channels can lead to DoS in
golang.org/x/crypto/ssh
[CVE-2026-39827](https://nvd.nist.gov/vuln/detail/CVE-2026-39827) /
[GO-2026-5016](https://pkg.go.dev/vuln/GO-2026-5016)

<details>
<summary>More information</summary>

#### Details
An authenticated SSH client that repeatedly opened channels which were
rejected by the server caused unbounded memory growth, eventually
crashing the server process and affecting all connected users. Rejected
channels are now properly removed from the connection's internal state
and released for garbage collection.

#### Severity
Unknown

#### References
- [https://go.dev/issue/35127](https://go.dev/issue/35127)
- [https://go.dev/cl/781320](https://go.dev/cl/781320)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5016) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking client can cause server deadlock on unexpected responses in
golang.org/x/crypto/ssh
[CVE-2026-39830](https://nvd.nist.gov/vuln/detail/CVE-2026-39830) /
[GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017)

<details>
<summary>More information</summary>

#### Details
A malicious SSH peer could send unsolicited global request responses to
fill an internal buffer, blocking the connection's read loop. The
blocked goroutine could not be released by calling Close(), resulting in
a resource leak per connection. Unsolicited global responses are now
discarded.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79564](https://go.dev/issue/79564)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)
- [https://go.dev/cl/781640](https://go.dev/cl/781640)
- [https://go.dev/cl/781664](https://go.dev/cl/781664)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5017) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking pathological RSA/DSA parameters may cause DoS in
golang.org/x/crypto/ssh
[CVE-2026-39829](https://nvd.nist.gov/vuln/detail/CVE-2026-39829) /
[GO-2026-5018](https://pkg.go.dev/vuln/GO-2026-5018)

<details>
<summary>More information</summary>

#### Details
The RSA and DSA public key parsers did not enforce size limits on key
parameters. A crafted public key with an excessively large modulus or
DSA parameter could cause several minutes of CPU consumption during
signature verification. This could be triggered by unauthenticated
clients during public key authentication. RSA moduli are now limited to
8192 bits, and DSA parameters are validated per FIPS 186-2.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79565](https://go.dev/issue/79565)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)
- [https://go.dev/cl/781641](https://go.dev/cl/781641)
- [https://go.dev/cl/781661](https://go.dev/cl/781661)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5018) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking bypass of FIDO/U2F security keys physical interaction in
golang.org/x/crypto/ssh
[CVE-2026-39831](https://nvd.nist.gov/vuln/detail/CVE-2026-39831) /
[GO-2026-5019](https://pkg.go.dev/vuln/GO-2026-5019)

<details>
<summary>More information</summary>

#### Details
The Verify() method for FIDO/U2F security key types
(sk-ecdsa-sha2-nistp256@&#8203;openssh.com,
sk-ssh-ed25519@&#8203;openssh.com) did not check the User Presence flag.
Signatures generated without physical touch were accepted, allowing
unattended use of a hardware security key. To restore the previous
behavior, return a "no-touch-required" extension in
Permissions.Extensions from PublicKeyCallback.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79566](https://go.dev/issue/79566)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)
- [https://go.dev/cl/781662](https://go.dev/cl/781662)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5019) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking infinite loop on large channel writes in
golang.org/x/crypto/ssh
[CVE-2026-39834](https://nvd.nist.gov/vuln/detail/CVE-2026-39834) /
[GO-2026-5020](https://pkg.go.dev/vuln/GO-2026-5020)

<details>
<summary>More information</summary>

#### Details
When writing data larger than 4GB in a single Write call on an SSH
channel, an integer overflow in the internal payload size calculation
caused the write loop to spin indefinitely, sending empty packets
without making progress. The size comparison now uses int64 to prevent
truncation.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79567](https://go.dev/issue/79567)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)
- [https://go.dev/cl/781663](https://go.dev/cl/781663)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5020) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking auth bypass via unenforced @&#8203;revoked status in
golang.org/x/crypto/ssh/knownhosts
[CVE-2026-42508](https://nvd.nist.gov/vuln/detail/CVE-2026-42508) /
[GO-2026-5021](https://pkg.go.dev/vuln/GO-2026-5021)

<details>
<summary>More information</summary>

#### Details
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly
checked for revocation. Now, both the 'key' and 'key.SignatureKey' are
checked for @&#8203;revoked.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79568](https://go.dev/issue/79568)
- [https://go.dev/cl/781220](https://go.dev/cl/781220)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5021) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking VerifiedPublicKeyCallback permissions skip enforcement in
golang.org/x/crypto/ssh
[CVE-2026-46595](https://nvd.nist.gov/vuln/detail/CVE-2026-46595) /
[GO-2026-5023](https://pkg.go.dev/vuln/GO-2026-5023)

<details>
<summary>More information</summary>

#### Details
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh
server configurations; if any other type of callback is passed other
than public key, then the source-address validation would be skipped.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79570](https://go.dev/issue/79570)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)
- [https://go.dev/cl/781642](https://go.dev/cl/781642)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5023) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Invoking pathological inputs can lead to client panic in
golang.org/x/crypto/ssh/agent
[CVE-2026-46598](https://nvd.nist.gov/vuln/detail/CVE-2026-46598) /
[GO-2026-5033](https://pkg.go.dev/vuln/GO-2026-5033)

<details>
<summary>More information</summary>

#### Details
For certain crafted inputs, a 'ed25519.PrivateKey' was created by
casting malformed wire bytes, leading to a panic when used.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79596](https://go.dev/issue/79596)
- [https://go.dev/cl/781360](https://go.dev/cl/781360)
-
[https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5033) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 76eea6cc7d5..1636ce976fd 100644
--- a/go.mod
+++ b/go.mod
@@ -109,12 +109,12 @@ require (
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go/v2 v2.26.0
 	go.yaml.in/yaml/v4 v4.0.0-rc.3
-	golang.org/x/crypto v0.51.0
+	golang.org/x/crypto v0.52.0
 	golang.org/x/image v0.40.0
 	golang.org/x/net v0.54.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	golang.org/x/sys v0.44.0
+	golang.org/x/sys v0.45.0
 	golang.org/x/text v0.37.0
 	google.golang.org/grpc v1.81.1
 	google.golang.org/protobuf v1.36.11
diff --git a/go.sum b/go.sum
index 0510378cb4b..2864a2fec11 100644
--- a/go.sum
+++ b/go.sum
@@ -790,8 +790,8 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
-golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8=
@@ -870,8 +870,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=