CVE-2026-3497
Analyzed Analyzed - Analysis Complete
Use-After-Free in OpenSSH GSSAPI Patch Causes Memory Corruption

Publication date: 2026-03-12

Last updated on: 2026-06-02

Assigner: Canonical Ltd.

Description
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3497
EUVD
EUVD-2026-11684
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
openbsd openssh *
debian debian_linux 11.0
redhat enterprise_linux 8.0
canonical ubuntu_linux 20.04
redhat enterprise_linux 9.0
canonical ubuntu_linux 22.04
canonical ubuntu_linux 24.04
redhat enterprise_linux 10.0
canonical ubuntu_linux 25.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3497 is a security vulnerability in the GSSAPI Key Exchange patch applied to OpenSSH packages used by various Linux distributions such as Ubuntu and Debian. The issue arises because the function sshpkt_disconnect(), which queues a disconnect message but does not terminate the process, is mistakenly used instead of ssh_packet_disconnect(), which properly terminates the process. This incorrect usage leads to the program continuing execution with uninitialized variables, specifically an uninitialized stack variable named recv_tok.

As a result, the uninitialized variable is accessed and passed through inter-process communication to a privileged monitor process, which may call free() on a garbage pointer. This causes undefined behavior including heap corruption, process crashes, and potential leakage of sensitive heap data.

The vulnerability affects OpenSSH servers configured with GSSAPIKeyExchange enabled and depends heavily on compiler flags and optimization levels, which influence the contents of the uninitialized variable and the severity of the impact.

Impact Analysis

This vulnerability can have several severe impacts on affected systems:

  • Pre-authentication uninitialized pointer dereference, which can be exploited without any credentials.
  • Heap corruption caused by free() being called on an uninitialized pointer, leading to process aborts and crashes.
  • Privilege separation boundary violation, potentially leaking up to 127KB of heap data to the root monitor process.
  • Child process crashes with 100% reliability triggered by a single crafted SSH packet, causing denial of service.
  • Observed signals include SIGSEGV and SIGABRT, and affected systems may experience SSH lockouts lasting around 90 seconds.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing abnormal behavior in the OpenSSH server, such as child process crashes with signals like SIGSEGV (signal 11) or SIGABRT (signal 6), and a 90-second SSH lockout on affected systems triggered by a single crafted SSH packet.

Detection involves monitoring for these crash signals and unusual SSH connection disruptions on servers configured with GSSAPIKeyExchange enabled.

Since the vulnerability arises from the use of sshpkt_disconnect() instead of ssh_packet_disconnect() in the kexgsss.c file, checking the OpenSSH server version and configuration for the presence of vulnerable patches is recommended.

Specific commands to detect the vulnerability are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the OpenSSH package to a version where the vulnerable code has been fixed by replacing all instances of sshpkt_disconnect() with ssh_packet_disconnect() in the affected kexgsss.c file.

If an update is not immediately available, disabling GSSAPIKeyExchange in the OpenSSH server configuration can reduce exposure to this vulnerability.

Monitoring for security updates from your Linux distribution vendor (such as Ubuntu or Debian) and applying patches as soon as they are released is strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart