CVE-2026-3497

EUVD-2026-11684
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
canonicalubuntu_linux
25.10
openbsdopenssh
-
canonicalubuntu_linux
20.04
canonicalubuntu_linux
22.04
canonicalubuntu_linux
24.04
debiandebian_linux
11.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssh
bookworm
1:9.2p1-2+deb12u10
fixed
bookworm (security)
1:9.2p1-2+deb12u9
fixed
bullseye
vulnerable
bullseye (security)
1:8.4p1-5+deb11u7
fixed
forky
1:10.3p1-4
fixed
sid
1:10.3p1-4
fixed
trixie
1:10.0p1-7+deb13u4
fixed
trixie (security)
1:10.0p1-7+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssh
bionic
not-affected
focal
Fixed 1:8.2p1-4ubuntu0.13+esm1
released
jammy
Fixed 1:8.9p1-3ubuntu0.14
released
noble
Fixed 1:9.6p1-3ubuntu13.15
released
questing
Fixed 1:10.0p1-5ubuntu5.1
released
resolute
not-affected
trusty
not-affected
xenial
not-affected
openssh-ssh1
bionic
ignored
focal
ignored
jammy
ignored
noble
ignored
questing
ignored
resolute
ignored
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssh
RHEL 8
0:8.0p1-28.el8_10
fixed
RHEL 8.4 AUS
0:8.0p1-7.el8_4.1
fixed
RHEL 8.6 AUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 E4S
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 TUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.8 E4S
0:8.0p1-20.el8_8.3
fixed
RHEL 8.8 TUS
0:8.0p1-20.el8_8.3
fixed
RHEL 9
0:8.7p1-48.el9_7
fixed
openssh-askpass
RHEL 8
0:8.0p1-28.el8_10
fixed
RHEL 8.4 AUS
0:8.0p1-7.el8_4.1
fixed
RHEL 8.6 AUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 E4S
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 TUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.8 E4S
0:8.0p1-20.el8_8.3
fixed
RHEL 8.8 TUS
0:8.0p1-20.el8_8.3
fixed
RHEL 9
0:8.7p1-48.el9_7
fixed
openssh-cavs
RHEL 8
0:8.0p1-28.el8_10
fixed
RHEL 8.4 AUS
0:8.0p1-7.el8_4.1
fixed
RHEL 8.6 AUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 E4S
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 TUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.8 E4S
0:8.0p1-20.el8_8.3
fixed
RHEL 8.8 TUS
0:8.0p1-20.el8_8.3
fixed
openssh-clients
RHEL 8
0:8.0p1-28.el8_10
fixed
RHEL 8.4 AUS
0:8.0p1-7.el8_4.1
fixed
RHEL 8.6 AUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 E4S
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 TUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.8 E4S
0:8.0p1-20.el8_8.3
fixed
RHEL 8.8 TUS
0:8.0p1-20.el8_8.3
fixed
RHEL 9
0:8.7p1-48.el9_7
fixed
openssh-keycat
RHEL 8
0:8.0p1-28.el8_10
fixed
RHEL 8.4 AUS
0:8.0p1-7.el8_4.1
fixed
RHEL 8.6 AUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 E4S
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 TUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.8 E4S
0:8.0p1-20.el8_8.3
fixed
RHEL 8.8 TUS
0:8.0p1-20.el8_8.3
fixed
RHEL 9
0:8.7p1-48.el9_7
fixed
openssh-ldap
RHEL 8
0:8.0p1-28.el8_10
fixed
RHEL 8.4 AUS
0:8.0p1-7.el8_4.1
fixed
RHEL 8.6 AUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 E4S
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 TUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.8 E4S
0:8.0p1-20.el8_8.3
fixed
RHEL 8.8 TUS
0:8.0p1-20.el8_8.3
fixed
openssh-server
RHEL 8
0:8.0p1-28.el8_10
fixed
RHEL 8.4 AUS
0:8.0p1-7.el8_4.1
fixed
RHEL 8.6 AUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 E4S
0:8.0p1-15.el8_6.4
fixed
RHEL 8.6 TUS
0:8.0p1-15.el8_6.4
fixed
RHEL 8.8 E4S
0:8.0p1-20.el8_8.3
fixed
RHEL 8.8 TUS
0:8.0p1-20.el8_8.3
fixed
RHEL 9
0:8.7p1-48.el9_7
fixed
pam
RHEL 8
0:0.10.3-7.28.el8_10
fixed
RHEL 8.4 AUS
0:0.10.3-7.7.el8_4.2
fixed
RHEL 8.6 AUS
0:0.10.3-7.15.el8_6.4
fixed
RHEL 8.6 E4S
0:0.10.3-7.15.el8_6.4
fixed
RHEL 8.6 TUS
0:0.10.3-7.15.el8_6.4
fixed
RHEL 8.8 E4S
0:0.10.3-7.20.el8_8.3
fixed
RHEL 8.8 TUS
0:0.10.3-7.20.el8_8.3
fixed
RHEL 9
0:0.10.4-5.48.el9_7
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
openssh
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
openssh-clients
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
openssh-clients-debuginfo
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
openssh-debuginfo
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
openssh-debugsource
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
openssh-keycat
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
openssh-keycat-debuginfo
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
openssh-server
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
openssh-server-debuginfo
Amazon Linux 2023
0:8.7p1-8.amzn2023.0.18
fixed
pam_ssh_agent_auth
Amazon Linux 2023
0:0.10.4-4.8.amzn2023.0.18
fixed
pam_ssh_agent_auth-debuginfo
Amazon Linux 2023
0:0.10.4-4.8.amzn2023.0.18
fixed
Common Weakness Enumeration
References
https://ubuntu.com/security/CVE-2026-3497
https://www.openwall.com/lists/oss-security/2026/03/12/3
http://www.openwall.com/lists/oss-security/2026/03/12/3
http://www.openwall.com/lists/oss-security/2026/03/14/3
http://www.openwall.com/lists/oss-security/2026/03/14/4
http://www.openwall.com/lists/oss-security/2026/03/18/2
http://www.openwall.com/lists/oss-security/2026/03/18/4
http://www.openwall.com/lists/oss-security/2026/03/18/5
http://www.openwall.com/lists/oss-security/2026/03/18/7
https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html