CVE-2026-3497
There is a vulnerability in the OpenSSH GSSAPI delta that is included in various Linux distributions. This issue affects the GSSAPI patches added by these distributions, but it does not impact the OpenSSH upstream project itself. The vulnerability arises from the use of sshpkt_disconnect() on an error, which does not terminate the process. Consequently, an attacker can send an unexpected GSSAPI message type during the GSSAPI key exchange to the server. This will invoke the underlying function and allow the program to continue execution without setting the associated connection variables. Since these variables are not initialized to NULL, the code can later access uninitialized variables, leading to potential undefined behavior. To mitigate this vulnerability, it is recommended to use ssh_packet_disconnect() instead, as it does terminate the process. The impact of the vulnerability is significantly influenced by the compiler flag hardening configuration.
NVD Record:
References:
- https://ubuntu.com/security/CVE-2026-3497
- https://www.openwall.com/lists/oss-security/2026/03/12/3
- http://www.openwall.com/lists/oss-security/2026/03/12/3
- http://www.openwall.com/lists/oss-security/2026/03/14/3
- http://www.openwall.com/lists/oss-security/2026/03/14/4
- http://www.openwall.com/lists/oss-security/2026/03/18/2
- http://www.openwall.com/lists/oss-security/2026/03/18/4
- http://www.openwall.com/lists/oss-security/2026/03/18/5
- http://www.openwall.com/lists/oss-security/2026/03/18/7
- https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html