CVE-2026-3497 - Vulnerability Details

- openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables

Description

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Published: 2026-03-12

Score: 2.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from uninitialized variables used during the GSSAPI key exchange in the OpenSSH server. When an attacker sends an unexpected GSSAPI message type, the server uses sshpkt_disconnect() which does not terminate the connection. This allows the code to use related connection variables that were never set to NULL, leading to random memory access and undefined behavior. The impact can include accidental disclosure of memory contents or a denial of service if the undefined behavior crashes the process. The weakness corresponds to CWE‑824 and CWE‑908.

Affected Systems

Affected systems are Ubuntu distributions that include the patched OpenSSH GSSAPI implementation. The issue is limited to OpenSSH packages customized by Ubuntu; the upstream OpenSSH project is not affected. No specific affected version numbers are enumerated in the available data, so any Ubuntu OpenSSH release that includes the distribution's GSSAPI patch is potentially vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 2.7 and an EPSS score of less than 1 %, and it is not listed as a Known Exploited Vulnerability. Exploitation requires network access to an SSH server and the ability to send crafted GSSAPI messages. It may expose sensitive data or cause a service disruption, especially on systems with weaker compiler hardening. The recommended mitigation is to update to an Ubuntu OpenSSH package that contains the patch or to apply an alternative code change that forces proper process termination on error.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Ubuntu

openssh

unaffected

Version	Status	Constraints
`1:10.0p1-5ubuntu5`	affected	< 1:10.0p1-5ubuntu5.1
`1:9.6p1-3ubuntu13`	affected	< 1:9.6p1-3ubuntu13.15
`1:8.9p1-3`	affected	< 1:8.9p1-3ubuntu0.14

No data.

Vendor Product Confidence Versions

Ubuntu

Openssh

100%

Version	Status	Scheme	Platform
`[1:10.0p1-5ubuntu5,1:10.0p1-5ubuntu5.1)`	affected	generic	—
`[1:9.6p1-3ubuntu13,1:9.6p1-3ubuntu13.15)`	affected	generic	—
`[1:8.9p1-3,1:8.9p1-3ubuntu0.14)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Ubuntu OpenSSH package that includes the GSSAPI patch.
If an update is not yet available, modify the OpenSSH source to replace sshpkt_disconnect() with ssh_packet_disconnect() to ensure termination of the connection on error.
Rebuild the package ensuring compiler hardening flags such as -fstack-protector are enabled to reduce the chance of undefined behavior.
Verify that GSSAPI is disabled or restricted in sshd_config when not required, and monitor SSH logs for unexpected disconnect or GSSAPI errors.

Generated by OpenCVE AI on March 18, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4535-1	openssh security update
Debian DSA	DSA-6204-1	openssh security update
Ubuntu USN	USN-8090-1	OpenSSH vulnerabilities
Ubuntu USN	USN-8090-2	OpenSSH vulnerabilities

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/12/3
http://www.openwall.com/lists/oss-security/2026/03/14/3
http://www.openwall.com/lists/oss-security/2026/03/14/4
http://www.openwall.com/lists/oss-security/2026/03/18/2
http://www.openwall.com/lists/oss-security/2026/03/18/4
http://www.openwall.com/lists/oss-security/2026/03/18/5
http://www.openwall.com/lists/oss-security/2026/03/18/7
https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html
https://nvd.nist.gov/vuln/detail/CVE-2026-3497
https://ubuntu.com/security/CVE-2026-3497
https://www.cve.org/CVERecord?id=CVE-2026-3497
https://www.openwall.com/lists/oss-security/2026/03/12/3

History

Thu, 16 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html

Wed, 18 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/18/7

Wed, 18 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/18/5

Wed, 18 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/18/4

Wed, 18 Mar 2026 13:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/18/2

Mon, 16 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/14/3 http://www.openwall.com/lists/oss-security/2026/03/14/4

Fri, 13 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables
Weaknesses		CWE-824
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3497 https://www.cve.org/CVERecord?id=CVE-2026-3497
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}` threat_severity `Important`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ubuntu Ubuntu openssh
Vendors & Products		Ubuntu Ubuntu openssh

Thu, 12 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/12/3

Thu, 12 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
References		https://www.openwall.com/lists/oss-security/2026/03/12/3

Thu, 12 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Weaknesses		CWE-908
References		https://ubuntu.com/security/CVE-2026-3497
Metrics		cvssV4_0 `{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

Ubuntu Openssh

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-03-12T18:27:44.917Z

Updated: 2026-04-16T18:24:30.556Z

Reserved: 2026-03-03T19:33:05.664Z

Link: CVE-2026-3497

Vulnrichment

Updated: 2026-04-16T18:24:30.556Z

NVD

Status : Awaiting Analysis

Published: 2026-03-12T19:16:19.910

Modified: 2026-04-16T19:16:34.113

Link: CVE-2026-3497

Redhat

Severity : Important

Publid Date: 2026-03-12T18:27:44Z

Links: CVE-2026-3497 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-23T09:55:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object