CVE-2026-3497
Publication date 12 March 2026
Last updated 18 March 2026
Ubuntu priority
Description
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| openssh | 25.10 questing |
Fixed 1:10.0p1-5ubuntu5.1
|
| 24.04 LTS noble |
Fixed 1:9.6p1-3ubuntu13.15
|
|
| 22.04 LTS jammy |
Fixed 1:8.9p1-3ubuntu0.14
|
|
| 20.04 LTS focal |
Fixed 1:8.2p1-4ubuntu0.13+esm1
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| openssh-ssh1 | 25.10 questing | Ignored |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
mdeslaur
openssh-ssh1 is only provided for compatibility with old devices that cannot be upgraded to modern protocols. We will not be providing any security support for the openssh-ssh1 package as it is insecure and should be used in trusted environments only.
ej7367
bionic and older are not affected because they use packet_disconnect() (which then calls the correct ssh_packet_disconnect() function).
References
Related Ubuntu Security Notices (USN)
- USN-8090-1
- OpenSSH vulnerabilities
- 12 March 2026
- USN-8090-2
- OpenSSH vulnerabilities
- 12 March 2026