chore(deps): update golang.org/x/crypto v0.52.0, golang.org/x/net v0.55.0

[thaJeztah]

• updates golang.org/x/crypto to v0.52.0 to address CVE-2026-46595, CVE-2026-39834, CVE-2026-42508, CVE-2026-39832, CVE-2026-39831, CVE-2026-39830, CVE-2026-39833,
• updates golang.org/x/net to v0.55.0 to address CVE-2026-39821

---

govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2026-5020
    Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2026-5020
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.50.0
    Fixed in: golang.org/x/crypto@v0.52.0
    Example traces found:
      #1: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.NewClientConn
      #2: pkg/port/builtin/parent/udp/udpproxy/udp_proxy.go:102:16: udpproxy.UDPProxy.Run calls fmt.Fprintf, which calls ssh.channel.Write

Vulnerability #2: GO-2026-5019
    Invoking bypass of FIDO/U2F security keys physical interaction in
    golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2026-5019
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.50.0
    Fixed in: golang.org/x/crypto@v0.52.0
    Example traces found:
      #1: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.NewClientConn

Vulnerability #3: GO-2026-5018
    Invoking pathological RSA/DSA parameters may cause DoS in
    golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2026-5018
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.50.0
    Fixed in: golang.org/x/crypto@v0.52.0
    Example traces found:
      #1: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.NewClientConn
      #2: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.ParseKnownHosts
      #3: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.ParsePrivateKey
      #4: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.ParsePrivateKeyWithPassphrase

Vulnerability #4: GO-2026-5017
    Invoking client can cause server deadlock on unexpected responses in
    golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2026-5017
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.50.0
    Fixed in: golang.org/x/crypto@v0.52.0
    Example traces found:
      #1: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.NewClientConn
      #2: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.mux.SendRequest

Vulnerability #5: GO-2026-5013
    Invoking byte arithmetic causes underflow and panic in
    golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2026-5013
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.50.0
    Fixed in: golang.org/x/crypto@v0.52.0
    Example traces found:
      #1: pkg/port/gvisortapvsock/gvisortapvsock.go:115:25: gvisortapvsock.driver.unexposePort calls http.ServeMux.ServeHTTP, which eventually calls ssh.NewClientConn

Your code is affected by 5 vulnerabilities from 1 module.
This scan also found 5 vulnerabilities in packages you import and 9
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

[thaJeztah]

cc @AkihiroSuda

I noticed these show up in our images; kept the bumps to the lowest versions with the fix for now, but perhaps would be good to have a new release to keep the scanners at bay 😅

[AkihiroSuda]

Your code is affected by 5 vulnerabilities from 1 module.

Does this actually affect RootlessKit or is it just a false positive?

[AkihiroSuda]

Let's merge this anyway, thanks

[thaJeztah]

Does this actually affect RootlessKit or is it just a false positive?

Good question for sure! GOVULNCHECK showed it up (which is usually better than most other scanners), but quite likely false positives. Those can still cause a lot of noise though 😞

Noticed the same situation with runc, which shows two CVEs with score 9.6, but it only uses the ebpf package from golang.org/x/net 😞