[Aikido] Fix 20 security issues in x/crypto, x/net, x/sys

[aikido-autofix]

Upgrade golang.org/x/crypto, golang.org/x/net, and golang.org/x/sys to fix critical SSH vulnerabilities: authorization bypass, resource exhaustion DoS, FIDO key verification bypass, integer overflow, and certificate revocation bypass.

✅ 20 CVEs resolved by this upgrade, including 8 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-11022	🚨 CRITICAL	[golang.org/x/crypto] Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
AIKIDO-2026-11025	🚨 CRITICAL	[golang.org/x/crypto] A malicious SSH peer can send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop and causing a resource leak that cannot be released by Close(). This results in a denial of service through goroutine exhaustion.
AIKIDO-2026-11029	🚨 CRITICAL	[golang.org/x/crypto] The Verify() method for FIDO/U2F security keys fails to check the User Presence flag, allowing signatures generated without physical touch to be accepted. This enables unauthorized unattended use of hardware security keys, bypassing intended physical authentication requirements.
AIKIDO-2026-11028	🚨 CRITICAL	[golang.org/x/crypto] An integer overflow in SSH channel write operations causes an infinite loop when writing data larger than 4GB in a single call, resulting in denial of service through empty packet transmission. The vulnerability has been fixed by using int64 for size comparisons to prevent truncation.
AIKIDO-2026-11027	🚨 CRITICAL	[golang.org/x/crypto] Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.
AIKIDO-2026-11034	🚨 CRITICAL	[golang.org/x/crypto] A keyring implementation silently ignored the ConfirmBeforeUse constraint on keys, allowing unauthorized signing without prompts or caller notification. This has been fixed to return an error when unsupported constraints are requested.
AIKIDO-2026-11033	🚨 CRITICAL	[golang.org/x/crypto] SSH agent key constraint extensions were not serialized when adding keys to remote agents, allowing destination restrictions to be silently stripped and keys to be used without restrictions on remote hosts. The vulnerability has been fixed by serializing all constraint extensions and rejecting keys with unsupported constraints.
AIKIDO-2026-11032	HIGH	[golang.org/x/crypto] An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
AIKIDO-2026-11026	MEDIUM	[golang.org/x/crypto] An authenticated SSH client can cause unbounded memory growth by repeatedly opening rejected channels, leading to server crashes and denial of service for all connected users. The vulnerability has been fixed by properly removing rejected channels from internal state.
AIKIDO-2026-11031	MEDIUM	[golang.org/x/crypto] An SSH server authentication callback that returns PartialSuccessError with non-nil Permissions silently discards those permissions, potentially bypassing certificate restrictions like force-command after second factor authentication succeeds. This vulnerability allows attackers to bypass security restrictions.
AIKIDO-2026-11023	MEDIUM	[golang.org/x/crypto] For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.
AIKIDO-2026-11024	LOW	[golang.org/x/crypto] RSA and DSA public key parsers lack size limits, allowing crafted keys with excessively large parameters to consume CPU for minutes during signature verification. This enables unauthenticated denial-of-service attacks during public key authentication.
AIKIDO-2026-11030	LOW	[golang.org/x/crypto] SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
AIKIDO-2026-11039	🚨 CRITICAL	[golang.org/x/net] Punycode validation bypass in idna functions allows ASCII-only labels to be incorrectly accepted, enabling privilege escalation when hostname validation is bypassed through encoded domain names. An attacker could exploit inconsistent validation between encoded and decoded hostnames to circumvent access controls.
AIKIDO-2026-11035	MEDIUM	[golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
AIKIDO-2026-11036	MEDIUM	[golang.org/x/net] The HTML parser mishandled character references in DOCTYPE nodes, causing them to be incorrectly rendered. This can lead to XSS when rendering parsed HTML.
AIKIDO-2026-11038	MEDIUM	[golang.org/x/net] The HTML parser mishandled certain HTML elements in foreign content, causing them to be incorrectly rendered. This can lead to XSS when rendering parsed HTML.
AIKIDO-2026-11040	MEDIUM	[golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
AIKIDO-2026-11037	LOW	[golang.org/x/net] Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
AIKIDO-2026-11041	LOW	[golang.org/x/sys] NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-14409