CVE-2026-3497
Use-After-Free in OpenSSH GSSAPI Patch Causes Memory Corruption
Publication date: 2026-03-12
Last updated on: 2026-04-16
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openssh | openssh | From 25.10 (inc) |
| openssh | openssh | to 3.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3497 is a security vulnerability in the GSSAPI Key Exchange patch applied to OpenSSH packages used by various Linux distributions such as Ubuntu and Debian. The issue arises because the function sshpkt_disconnect(), which queues a disconnect message but does not terminate the process, is mistakenly used instead of ssh_packet_disconnect(), which properly terminates the process. This incorrect usage leads to the program continuing execution with uninitialized variables, specifically an uninitialized stack variable named recv_tok.
As a result, the uninitialized variable is accessed and passed through inter-process communication to a privileged monitor process, which may call free() on a garbage pointer. This causes undefined behavior including heap corruption, process crashes, and potential leakage of sensitive heap data.
The vulnerability affects OpenSSH servers configured with GSSAPIKeyExchange enabled and depends heavily on compiler flags and optimization levels, which influence the contents of the uninitialized variable and the severity of the impact.
How can this vulnerability impact me? :
This vulnerability can have several severe impacts on affected systems:
- Pre-authentication uninitialized pointer dereference, which can be exploited without any credentials.
- Heap corruption caused by free() being called on an uninitialized pointer, leading to process aborts and crashes.
- Privilege separation boundary violation, potentially leaking up to 127KB of heap data to the root monitor process.
- Child process crashes with 100% reliability triggered by a single crafted SSH packet, causing denial of service.
- Observed signals include SIGSEGV and SIGABRT, and affected systems may experience SSH lockouts lasting around 90 seconds.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing abnormal behavior in the OpenSSH server, such as child process crashes with signals like SIGSEGV (signal 11) or SIGABRT (signal 6), and a 90-second SSH lockout on affected systems triggered by a single crafted SSH packet.
Detection involves monitoring for these crash signals and unusual SSH connection disruptions on servers configured with GSSAPIKeyExchange enabled.
Since the vulnerability arises from the use of sshpkt_disconnect() instead of ssh_packet_disconnect() in the kexgsss.c file, checking the OpenSSH server version and configuration for the presence of vulnerable patches is recommended.
Specific commands to detect the vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the OpenSSH package to a version where the vulnerable code has been fixed by replacing all instances of sshpkt_disconnect() with ssh_packet_disconnect() in the affected kexgsss.c file.
If an update is not immediately available, disabling GSSAPIKeyExchange in the OpenSSH server configuration can reduce exposure to this vulnerability.
Monitoring for security updates from your Linux distribution vendor (such as Ubuntu or Debian) and applying patches as soon as they are released is strongly recommended.