CVE-2026-3497

Enriched by CISA
 

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
https://nvd.nist.gov/vuln/detail/CVE-2026-3497

Categories

CWE-908 : Use of Uninitialized Resource
When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Ubuntu openssh
  • 1:10.0p1-5ubuntu5 < 1:10.0p1-5ubuntu5.1 [affected]
  • 1:9.6p1-3ubuntu13 < 1:9.6p1-3ubuntu13.15 [affected]
  • 1:8.9p1-3 < 1:8.9p1-3ubuntu0.14 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry