CVE-2026-55654
Received Received - Intake
Heap Out-of-Bounds Read in OpenSSH GSSAPI Cleanup

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Red Hat, Inc.

Description
A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-55654
EUVD
EUVD-2026-38414
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openssh openssh to 10.1.hum1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap out-of-bounds read in OpenSSH related to the cleanup of GSSAPI indicators. It happens because the auth-indicators array lacks a proper trailing NULL termination, causing the program to read beyond the allocated memory during cleanup.

Specifically, when the array is resized, the new pointer slot is not set to NULL, so functions that rely on a NULL sentinel to know the end of the array may read invalid memory. This flaw can be triggered in environments using GSSAPI authentication with Kerberos tickets that include authenticated auth-indicators.

Impact Analysis

A remote attacker could exploit this vulnerability to cause the SSH authentication process to crash or abort, resulting in a denial of service (DoS). This impacts the availability of the SSH service, potentially preventing legitimate users from authenticating.

There is no established impact on confidentiality or integrity, and the overall severity is considered low due to the narrow conditions required for exploitation.

Detection Guidance

This vulnerability occurs in OpenSSH when built with GSSAPI support and deployed with GSSAPIAuthentication enabled. Detection involves verifying if your OpenSSH version is affected and if GSSAPIAuthentication is enabled.

  • Check the OpenSSH version to see if it matches the affected version (e.g., openssh-10.2p1-10.1.hum1 or similar builds with GSSAPI support).
  • Verify if GSSAPIAuthentication is enabled in your SSH server configuration by running: `grep -i GSSAPIAuthentication /etc/ssh/sshd_config`
  • Check if your environment uses Kerberos tickets with authenticated auth-indicators, which are required for exploitation.

There are no specific commands provided to detect exploitation attempts or crashes caused by this vulnerability, but monitoring SSH service logs for authentication crashes or abnormal terminations related to GSSAPI may help identify issues.

Mitigation Strategies

Immediate mitigation steps focus on disabling or restricting the vulnerable features until a patch is applied.

  • Disable GSSAPIAuthentication in your SSH server configuration by setting `GSSAPIAuthentication no` in `/etc/ssh/sshd_config` and restarting the SSH service.
  • Avoid using GSSAPIIndicators in your authentication setup.
  • Restrict or avoid Kerberos tickets that carry authenticated auth-indicators values.

Applying the vendor-provided patch or updating OpenSSH to a fixed version when available is recommended for a permanent fix.

Compliance Impact

This vulnerability causes a denial of service (DoS) by crashing the SSH authentication path under specific configurations, impacting availability.

There is no established impact on confidentiality or integrity, which are critical factors for compliance with standards like GDPR or HIPAA.

Since the vulnerability affects availability only and does not compromise data confidentiality or integrity, its direct effect on compliance with regulations such as GDPR or HIPAA is limited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart