Linux distributions' OpenSSH GSSAPI patch may crash or behave erratically.

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

Linux distributions' OpenSSH GSSAPI patch may crash or behave erratically.

CVE-2026-3497

Summary

A security issue in the GSSAPI patch for certain Linux distributions' OpenSSH software could cause the service to crash or behave unpredictably if an attacker sends specific data. This issue is specific to how some distributions have modified the OpenSSH code and is not a problem with the main OpenSSH software. To fix this issue, update your distribution's OpenSSH package to use the correct function to handle errors.

Original title

Original description

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

nvd CVSS4.0 6.9

Vulnerability type

CWE-908 Use of Uninitialized Resource

Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026