Detect CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass in CrowdStrike LogScale
Detects exploitation of CVE-2026-46595, a critical authentication bypass vulnerability (CVSS 10.0) in golang.org/x/crypto/ssh versions prior to 0.52.0. When VerifiedPublicKeyCallback is used, SSH server implementations fail to enforce permission checks, allowing attackers to authenticate without proper authorization. This is a regression/variant of CVE-2024-45337 and carries a public PoC.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN ("UserLogon", "NetworkConnectIP4", "ProcessRollup2", "SyntheticProcessRollup2")
| FileName IN ("sshd", "ssh") OR CommandLine = /golang|x\/crypto\/ssh|VerifiedPublicKeyCallback/
| LogonType IN ("10", "3") OR NetworkConnectIP4.RemotePort = "22"
| UserName != "" AND UserName != "SYSTEM"
| eval auth_indicator = case(
CommandLine = /publickey/, "publickey_auth",
FileName = "sshd" AND event_simpleName = "UserLogon", "ssh_logon",
NetworkConnectIP4.RemotePort = "22", "ssh_network",
true, "other"
)
| where auth_indicator != "other"
| stats count() AS event_count, earliest(timestamp) AS first_event, latest(timestamp) AS last_event by RemoteAddressIP4, UserName, ComputerName, auth_indicator
| sort - event_count
| limit 1000CrowdStrike Falcon LogScale query detecting SSH authentication and process events associated with potential CVE-2026-46595 exploitation. Identifies golang SSH server activity and anomalous publickey authentication patterns.
Data Sources
Required Tables
False Positives & Tuning
- Authorized SSH sessions from developer machines to Go-based SSH servers
- CrowdStrike-monitored hosts running legitimate Go applications with SSH server components
- Penetration testing activities against authorized targets using SSH exploitation frameworks
- DevOps automation using Go SSH clients and servers for infrastructure management
Other platforms for CVE-2026-46595
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-46595 PoC: VerifiedPublicKeyCallback Auth Bypass Simulation
Expected signal: SSH authentication log entry showing 'Accepted publickey for testuser' despite the key not being in the authorized_keys list or having required permissions. Process execution events showing 'id', 'hostname', and echo commands as child processes of the SSH daemon.
- Test 2Identify Vulnerable golang.org/x/crypto/ssh Deployments via Binary Inspection
Expected signal: Process execution events for 'go' binary with 'version -m' arguments, file access events on Go binaries in /usr/local/bin, /usr/bin, /opt, and /proc/*/exe paths.
- Test 3SSH Brute-Force Simulation Against Go SSH Server to Test Alerting
Expected signal: Multiple 'Invalid user' or 'Failed publickey' log entries from the lab host IP, followed by potential 'Accepted publickey' entries if testing against a vulnerable server. Network connection events on the SSH port from the test machine.
References (7)
Unlock Pro Content
Get the full detection package for CVE-2026-46595 including response playbook, investigation guide, and atomic red team tests.