chore: upgrade golang.org/x/crypto to ^0.52.0 to address CVE-2026-39827

linear-code[bot] · linear-code[bot] · commit 5a0d2eda9034 · 2026-06-23T14:02:45.000Z
Force-upgrade x/crypto in the zoekt Docker build to a patched version (>= v0.52.0) to address CVE-2026-39827, where an authenticated SSH client repeatedly opening rejected channels could cause unbounded memory growth in the server. x/crypto enters the image only via the vendored zoekt Go build, so the upgrade is applied there. Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1421/sourcebot-devsourcebot-cve-2026-39827-an-authenticated-ssh-client-that#agent-session-dd6262ca) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added per-step token cost tracking and estimated tool call token usage to Ask Sourcebot chat history. [#1353](https://github.com/sourcebot-dev/sourcebot/pull/1353)
 
+### Fixed
+- Upgraded `golang.org/x/crypto` to `^0.52.0` in the zoekt build to address CVE-2026-39827. [#1363](https://github.com/sourcebot-dev/sourcebot/pull/1363)
+
 ## [5.0.4] - 2026-06-18
 
 ### Changed
diff --git a/Dockerfile b/Dockerfile
@@ -26,6 +26,10 @@ WORKDIR /zoekt
 COPY vendor/zoekt/go.mod vendor/zoekt/go.sum ./
 RUN go mod download
 COPY vendor/zoekt ./
+# Force-upgrade golang.org/x/crypto to a patched version to address CVE-2026-39827
+# (unbounded memory growth from repeatedly-rejected SSH channels). This pulls the
+# fixed version into the built zoekt binaries; remove once vendor/zoekt pins >= v0.52.0.
+RUN go get golang.org/x/crypto@v0.52.0
 RUN CGO_ENABLED=0 GOOS=linux go build -o /cmd/ ./cmd/...
 # -------------------------
 
