CVE-2026-55655 - Vulnerability Details

Description

A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.

Published: 2026-06-23

Score: 5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A local, unprivileged attacker on a Linux client can hijack X11 forwarding connections by pre‑binding the preferred abstract X socket name. The attacker does not need root privileges, and the exploitation can reveal sensitive window contents and typed input. The attack may also permit some manipulation of the forwarded session. This flaw does not require network access; it attacks confidentiality of traffic transmitted over an otherwise encrypted SSH connection.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux releases 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4 via their OpenSSH client implementations. The flaw applies to any system where OpenSSH client X11 forwarding is enabled.

Risk and Exploitability

The CVSS score is 5, indicating medium severity. The EPSS score is unavailable, and the vulnerability is not on the CISA KEV list. Attack requires a local user to have X11 forwarding enabled and to be able to pre‑bind an abstract UNIX‑domain socket. Because the exploit is local and does not require elevated privileges, the attack vector is weaker than remote exploits but still poses a significant risk if X11 forwarding is routinely used.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Enterprise Linux 10	affected	—
Red Hat	Red Hat Enterprise Linux 6	affected	—
Red Hat	Red Hat Enterprise Linux 7	affected	—
Red Hat	Red Hat Enterprise Linux 8	affected	—
Red Hat	Red Hat Enterprise Linux 9	affected	—
Red Hat	Red Hat Hardened Images	unknown	—
Red Hat	Red Hat OpenShift Container Platform 4	unknown	—

No data.

No data available yet.

Remediation

Vendor Workaround

To mitigate this issue, disable X11 forwarding on OpenSSH clients when it is not required. This can be achieved by avoiding the use of `-X` or `-Y` options when invoking `ssh`, or by setting `ForwardX11 no` in the SSH client configuration file (`~/.ssh/config` or `/etc/ssh/ssh_config`). Disabling X11 forwarding will prevent the client from attempting to establish X11 connections, thereby removing the attack vector.

OpenCVE Recommended Actions

Disable X11 forwarding by removing the use of -X and -Y options when invoking ssh or by setting ForwardX11 no in the ssh client configuration file (~/.ssh/config or /etc/ssh/ssh_config).
Check the Red Hat errata page for any update that addresses this SSH pre‑binding flaw and apply the patch when available.
Restrict local users from creating abstract sockets in the X11 namespace by configuring appropriate filesystem permissions or by disabling the X11 forwarding feature in system-wide SSH client templates.

Generated by OpenCVE AI on June 23, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-55655
https://bugzilla.redhat.com/show_bug.cgi?id=2462250

History

Tue, 23 Jun 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
Title		Openssh: local mitm of x11 forwarding via abstract unix socket pre-binding in red hat enterprise linux openssh client versions
First Time appeared		Redhat Redhat enterprise Linux Redhat hummingbird Redhat openshift
Weaknesses		CWE-923
CPEs		cpe:/a:redhat:hummingbird:1 cpe:/a:redhat:openshift:4 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux Redhat hummingbird Redhat openshift
References		https://access.redhat.com/security/cve/CVE-2026-55655 https://bugzilla.redhat.com/show_bug.cgi?id=2462250
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N'}`

Subscriptions

Redhat Enterprise Linux Hummingbird Openshift

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-23T03:36:25.724Z

Updated: 2026-06-23T03:36:25.724Z

Reserved: 2026-06-16T23:55:05.737Z

Link: CVE-2026-55655

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-23T04:30:16Z

Weaknesses

CWE-923
Improper Restriction of Communication Channel to Intended Endpoints

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object