CVE-2026-3497

EUVD-2026-11684
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
openssh
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssh
bionic
not-affected
focal
Fixed 1:8.2p1-4ubuntu0.13+esm1
released
jammy
Fixed 1:8.9p1-3ubuntu0.14
released
noble
Fixed 1:9.6p1-3ubuntu13.15
released
questing
Fixed 1:10.0p1-5ubuntu5.1
released
trusty
not-affected
xenial
not-affected
openssh-ssh1
bionic
ignored
focal
ignored
jammy
ignored
noble
ignored
questing
ignored
Common Weakness Enumeration
References
https://ubuntu.com/security/CVE-2026-3497
https://www.openwall.com/lists/oss-security/2026/03/12/3
http://www.openwall.com/lists/oss-security/2026/03/12/3