IM
IronMonkey Threat Research

CVE-2026-3497 HIGH

Published: 2026-03-12 | Last Modified: 2026-07-15 | Status: Modified

Description

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Additional Descriptions (1)

Vulnerabilidad en el delta GSSAPI de OpenSSH incluida en varias distribuciones de Linux. Esta vulnerabilidad afecta a los parches GSSAPI añadidos por varias distribuciones de Linux y no afecta al proyecto upstream de OpenSSH en sí. El uso de sshpkt_disconnect() en caso de error, que no termina el proceso, permite a un atacante enviar un tipo de mensaje GSSAPI inesperado durante el intercambio de claves GSSAPI al servidor, lo que llamará a la función subyacente y continuará la ejecución del programa sin establecer las variables de conexión relacionadas. Como las variables no se inicializan a NULL, el código accede posteriormente a esas variables no inicializadas, accediendo a memoria aleatoria, lo que podría llevar a un comportamiento indefinido. La solución alternativa recomendada es usar ssh_packet_disconnect() en su lugar, que sí termina el proceso. El impacto de la vulnerabilidad depende en gran medida de la configuración de endurecimiento de las banderas del compilador.

CVSS Metrics

Base Score: 7.5 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 3.6

Base Score: 6.9 (MEDIUM)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack VectorNETWORK
Attack ComplexityLOW
Attack RequirementsNONE
Privileges RequiredNONE
User InteractionNONE
Vulnerability ConfidentialityNONE
Vulnerability IntegrityLOW
Vulnerability AvailabilityLOW
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE

Source: [email protected]

Type: Secondary

Weaknesses

Source Type Description
[email protected] Secondary
en CWE-908
0b0ca135-0b70-47e7-9f44-1890c2a1c46c Secondary
en CWE-824

Affected Products

Vendor Product Version Update Type
canonical ubuntu_linux 25.10 <built-in method update of dict object at 0x702b8344eb40> Application
openbsd openssh - <built-in method update of dict object at 0x702bfc1dd4c0> Application
canonical ubuntu_linux 20.04 <built-in method update of dict object at 0x702bfc1de2c0> Operating System
canonical ubuntu_linux 22.04 <built-in method update of dict object at 0x702b8052ecc0> Operating System
canonical ubuntu_linux 24.04 <built-in method update of dict object at 0x702b8344f8c0> Operating System
debian debian_linux 11.0 <built-in method update of dict object at 0x702bdd26c940> Operating System
redhat enterprise_linux 8.0 <built-in method update of dict object at 0x702bdd2f2940> Operating System
redhat enterprise_linux 9.0 <built-in method update of dict object at 0x702bfc334f00> Operating System
redhat enterprise_linux 10.0 <built-in method update of dict object at 0x702bfc3358c0> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:canonical:ubuntu_linux:25.10:*:*:*:*:*:*:*
Yes cpe:2.3:a:openbsd:openssh:-:*:*:*:*:*:*:*
Yes cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
Yes cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*
Yes cpe:2.3:o:canonical:ubuntu_linux:24.04:*:*:*:lts:*:*:*
Yes cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*

References

Notification
Message here