Vulnerability-Lookup

RHSA-2026:5475

Vulnerability from csaf_redhat - Published: 2026-03-23 17:29 - Updated: 2026-04-21 19:42

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPM Release

Severity

Important

Notes

Topic: Red Hat Hardened Images RPM Release

Details: Red Hat Hardened Images RPM Release

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-61984

A flaw was found in OpenSSH where control characters in usernames were not properly validated when sourced from untrusted inputs like the command line or configuration expansion. If a ProxyCommand is used, these control characters could modify command behavior, potentially leading to code execution.

5.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-159 - Improper Handling of Invalid Use of Special Elements

Vendor Fix Red Hat Hardened Images RPM Release https://access.redhat.com/errata/RHSA-2026:5475

CVE-2025-61985

A flaw was found in OpenSSH where the SSH client accepted \0 (null) characters in ssh:// URIs. When a ProxyCommand is configured, these characters could alter how the command is parsed, potentially leading to code execution depending on how the proxy is set up.

5.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-158 - Improper Neutralization of Null Byte or NUL Character

Vendor Fix Red Hat Hardened Images RPM Release https://access.redhat.com/errata/RHSA-2026:5475

CVE-2026-3497

A flaw was found in the OpenSSH GSSAPI (Generic Security Service Application Program Interface) delta patches, as included in various Linux distributions. A remote attacker could exploit this by sending an unexpected GSSAPI message type during the key exchange process. This occurs because the `sshpkt_disconnect()` function, when called on an error, does not properly terminate the process, leading to the continued execution of the program with uninitialized connection variables. Accessing these uninitialized variables can lead to undefined behavior, potentially resulting in information disclosure or a denial of service.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CWE-824 - Access of Uninitialized Pointer

Vendor Fix Red Hat Hardened Images RPM Release https://access.redhat.com/errata/RHSA-2026:5475

Workaround To mitigate this issue, disable GSSAPI key exchange in the OpenSSH server configuration. This prevents the server from processing GSSAPI messages, eliminating the vulnerability's attack surface. Edit `/etc/ssh/sshd_config` and add or modify the line: ``` GSSAPIKeyExchange no ``` After saving the changes, restart the `sshd` service for the mitigation to take effect. This action will prevent users from authenticating via GSSAPI. ``` # systemctl restart sshd ```

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:5475	self
	https://access.redhat.com/security/cve/CVE-2025-61985	external
	https://access.redhat.com/security/updates/classi…	external
	https://access.redhat.com/security/cve/CVE-2025-61984	external
	https://access.redhat.com/security/cve/CVE-2026-3497	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2025-61984	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2401960	external
	https://www.cve.org/CVERecord?id=CVE-2025-61984	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-61984	external
	https://marc.info/?l=openssh-unix-dev&m=175974522…	external
	https://www.openssh.com/releasenotes.html#10.1p1	external
	https://www.openwall.com/lists/oss-security/2025/…	external
	https://access.redhat.com/security/cve/CVE-2025-61985	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2401962	external
	https://www.cve.org/CVERecord?id=CVE-2025-61985	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-61985	external
	https://access.redhat.com/security/cve/CVE-2026-3497	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2447085	external
	https://www.cve.org/CVERecord?id=CVE-2026-3497	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-3497	external
	https://ubuntu.com/security/CVE-2026-3497	external
	https://www.openwall.com/lists/oss-security/2026/…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Hardened Images RPM Release",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Hardened Images RPM Release",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:5475",
        "url": "https://access.redhat.com/errata/RHSA-2026:5475"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-61985",
        "url": "https://access.redhat.com/security/cve/CVE-2025-61985"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-61984",
        "url": "https://access.redhat.com/security/cve/CVE-2025-61984"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-3497",
        "url": "https://access.redhat.com/security/cve/CVE-2026-3497"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_5475.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPM Release",
    "tracking": {
      "current_release_date": "2026-04-21T19:42:12+00:00",
      "generator": {
        "date": "2026-04-21T19:42:12+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.5"
        }
      },
      "id": "RHSA-2026:5475",
      "initial_release_date": "2026-03-23T17:29:37+00:00",
      "revision_history": [
        {
          "date": "2026-03-23T17:29:37+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-04-18T19:59:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-21T19:42:12+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssh-main@aarch64",
                "product": {
                  "name": "openssh-main@aarch64",
                  "product_id": "openssh-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssh@10.2p1-9.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssh-main@src",
                "product": {
                  "name": "openssh-main@src",
                  "product_id": "openssh-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssh@10.2p1-9.hum1?arch=source\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssh-main@x86_64",
                "product": {
                  "name": "openssh-main@x86_64",
                  "product_id": "openssh-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssh@10.2p1-9.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssh-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:openssh-main@aarch64"
        },
        "product_reference": "openssh-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssh-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:openssh-main@src"
        },
        "product_reference": "openssh-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssh-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:openssh-main@x86_64"
        },
        "product_reference": "openssh-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-61984",
      "cwe": {
        "id": "CWE-159",
        "name": "Improper Handling of Invalid Use of Special Elements"
      },
      "discovery_date": "2025-10-06T19:01:13.449665+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2401960"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in OpenSSH where control characters in usernames were not properly validated when sourced from untrusted inputs like the command line or configuration expansion. If a ProxyCommand is used, these control characters could modify command behavior, potentially leading to code execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The impact is MODERATE because it is a critical component used across many Red Hat products.\nThe issue occurs only when a ProxyCommand is configured and the SSH client handles a username containing control characters from an untrusted source, such as script-generated input or expanded configuration values.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:openssh-main@aarch64",
          "Red Hat Hardened Images:openssh-main@src",
          "Red Hat Hardened Images:openssh-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-61984"
        },
        {
          "category": "external",
          "summary": "RHBZ#2401960",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401960"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-61984",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-61984"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61984",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61984"
        },
        {
          "category": "external",
          "summary": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2",
          "url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
        },
        {
          "category": "external",
          "summary": "https://www.openssh.com/releasenotes.html#10.1p1",
          "url": "https://www.openssh.com/releasenotes.html#10.1p1"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2025/10/06/1",
          "url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
        }
      ],
      "release_date": "2025-10-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-23T17:29:37+00:00",
          "details": "Red Hat Hardened Images RPM Release",
          "product_ids": [
            "Red Hat Hardened Images:openssh-main@aarch64",
            "Red Hat Hardened Images:openssh-main@src",
            "Red Hat Hardened Images:openssh-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5475"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:openssh-main@aarch64",
            "Red Hat Hardened Images:openssh-main@src",
            "Red Hat Hardened Images:openssh-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand"
    },
    {
      "cve": "CVE-2025-61985",
      "cwe": {
        "id": "CWE-158",
        "name": "Improper Neutralization of Null Byte or NUL Character"
      },
      "discovery_date": "2025-10-06T19:01:16.841946+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2401962"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in OpenSSH where the SSH client accepted \\0 (null) characters in ssh:// URIs. When a ProxyCommand is configured, these characters could alter how the command is parsed, potentially leading to code execution depending on how the proxy is set up.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The impact is MODERATE because it is a critical component used across many Red Hat products.\nExploiting this vulnerability would require a specific configuration where ProxyCommand is enabled and the SSH client processes an untrusted ssh:// URI containing null bytes. Under these conditions, the command parser may misinterpret the URI and execute unintended shell commands.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:openssh-main@aarch64",
          "Red Hat Hardened Images:openssh-main@src",
          "Red Hat Hardened Images:openssh-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-61985"
        },
        {
          "category": "external",
          "summary": "RHBZ#2401962",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401962"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-61985",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-61985"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61985",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61985"
        },
        {
          "category": "external",
          "summary": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2",
          "url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
        },
        {
          "category": "external",
          "summary": "https://www.openssh.com/releasenotes.html#10.1p1",
          "url": "https://www.openssh.com/releasenotes.html#10.1p1"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2025/10/06/1",
          "url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
        }
      ],
      "release_date": "2025-10-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-23T17:29:37+00:00",
          "details": "Red Hat Hardened Images RPM Release",
          "product_ids": [
            "Red Hat Hardened Images:openssh-main@aarch64",
            "Red Hat Hardened Images:openssh-main@src",
            "Red Hat Hardened Images:openssh-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5475"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:openssh-main@aarch64",
            "Red Hat Hardened Images:openssh-main@src",
            "Red Hat Hardened Images:openssh-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand"
    },
    {
      "cve": "CVE-2026-3497",
      "cwe": {
        "id": "CWE-824",
        "name": "Access of Uninitialized Pointer"
      },
      "discovery_date": "2026-03-12T19:01:37.007806+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2447085"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the OpenSSH GSSAPI (Generic Security Service Application Program Interface) delta patches, as included in various Linux distributions. A remote attacker could exploit this by sending an unexpected GSSAPI message type during the key exchange process. This occurs because the `sshpkt_disconnect()` function, when called on an error, does not properly terminate the process, leading to the continued execution of the program with uninitialized connection variables. Accessing these uninitialized variables can lead to undefined behavior, potentially resulting in information disclosure or a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "IMPORTANT: This vulnerability affects the OpenSSH GSSAPI delta as implemented in Red Hat Enterprise Linux and OpenShift Container Platform. An unauthenticated attacker could send a specially crafted GSSAPI message during key exchange, leading to the use of uninitialized variables and potentially undefined behavior. The severity of the impact is dependent on compiler hardening configurations.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:openssh-main@aarch64",
          "Red Hat Hardened Images:openssh-main@src",
          "Red Hat Hardened Images:openssh-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-3497"
        },
        {
          "category": "external",
          "summary": "RHBZ#2447085",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447085"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-3497",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3497"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3497",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3497"
        },
        {
          "category": "external",
          "summary": "https://ubuntu.com/security/CVE-2026-3497",
          "url": "https://ubuntu.com/security/CVE-2026-3497"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2026/03/12/3",
          "url": "https://www.openwall.com/lists/oss-security/2026/03/12/3"
        }
      ],
      "release_date": "2026-03-12T18:27:44.917000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-23T17:29:37+00:00",
          "details": "Red Hat Hardened Images RPM Release",
          "product_ids": [
            "Red Hat Hardened Images:openssh-main@aarch64",
            "Red Hat Hardened Images:openssh-main@src",
            "Red Hat Hardened Images:openssh-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5475"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, disable GSSAPI key exchange in the OpenSSH server configuration. This prevents the server from processing GSSAPI messages, eliminating the vulnerability\u0027s attack surface.\n\nEdit `/etc/ssh/sshd_config` and add or modify the line:\n```\nGSSAPIKeyExchange no\n```\n\nAfter saving the changes, restart the `sshd` service for the mitigation to take effect. This action will prevent users from authenticating via GSSAPI.\n\n```\n# systemctl restart sshd\n```",
          "product_ids": [
            "Red Hat Hardened Images:openssh-main@aarch64",
            "Red Hat Hardened Images:openssh-main@src",
            "Red Hat Hardened Images:openssh-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:openssh-main@aarch64",
            "Red Hat Hardened Images:openssh-main@src",
            "Red Hat Hardened Images:openssh-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables"
    }
  ]
}

CVE-2025-61984 (GCVE-0-2025-61984)

Vulnerability from cvelistv5 – Published: 2025-10-06 00:00 – Updated: 2026-02-26 17:48

Summary

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Severity ?

3.6 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-159 - Improper Handling of Invalid Use of Special Elements

Assigner

mitre

References

URL

Tags

	https://www.openwall.com/lists/oss-security/2025/…
	https://marc.info/?l=openssh-unix-dev&m=175974522…
	https://www.openssh.com/releasenotes.html#10.1p1

Impacted products

	Vendor	Product	Version
	OpenBSD	OpenSSH	Affected: 0 , < 10.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-61984",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-08T03:55:10.734755Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:48:18.755Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-11T14:50:56.007Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/07/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/12/1"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSH",
          "vendor": "OpenBSD",
          "versions": [
            {
              "lessThan": "10.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.6,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-159",
              "description": "CWE-159 Improper Handling of Invalid Use of Special Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-06T18:17:49.959Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
        },
        {
          "url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
        },
        {
          "url": "https://www.openssh.com/releasenotes.html#10.1p1"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-61984",
    "datePublished": "2025-10-06T00:00:00.000Z",
    "dateReserved": "2025-10-06T00:00:00.000Z",
    "dateUpdated": "2026-02-26T17:48:18.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61985 (GCVE-0-2025-61985)

Vulnerability from cvelistv5 – Published: 2025-10-06 00:00 – Updated: 2025-10-06 18:34

Summary

ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

Severity ?

3.6 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-158 - Improper Neutralization of Null Byte or NUL Character

Assigner

mitre

References

URL

Tags

	https://www.openwall.com/lists/oss-security/2025/…
	https://marc.info/?l=openssh-unix-dev&m=175974522…
	https://www.openssh.com/releasenotes.html#10.1p1

Impacted products

	Vendor	Product	Version
	OpenBSD	OpenSSH	Affected: 0 , < 10.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-61985",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-06T18:33:49.712677Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-06T18:34:24.777Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSH",
          "vendor": "OpenBSD",
          "versions": [
            {
              "lessThan": "10.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ssh in OpenSSH before 10.1 allows the \u0027\\0\u0027 character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.6,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-158",
              "description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-06T18:19:08.824Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
        },
        {
          "url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
        },
        {
          "url": "https://www.openssh.com/releasenotes.html#10.1p1"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-61985",
    "datePublished": "2025-10-06T00:00:00.000Z",
    "dateReserved": "2025-10-06T00:00:00.000Z",
    "dateUpdated": "2025-10-06T18:34:24.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2026-3497 (GCVE-0-2026-3497)

Vulnerability from cvelistv5 – Published: 2026-03-12 18:27 – Updated: 2026-04-16 18:24

Summary

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Severity ?

2.7 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

canonical

References

URL

Tags

	https://ubuntu.com/security/CVE-2026-3497	vdb-entry
	https://www.openwall.com/lists/oss-security/2026/…

Impacted products

	Vendor	Product	Version
	Ubuntu	openssh	Affected: 1:10.0p1-5ubuntu5 , < 1:10.0p1-5ubuntu5.1 (dpkg) Affected: 1:9.6p1-3ubuntu13 , < 1:9.6p1-3ubuntu13.15 (dpkg) Affected: 1:8.9p1-3 , < 1:8.9p1-3ubuntu0.14 (dpkg)

Date Public ?

2026-03-12 18:00

Credits

Jeremy Brown

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3497",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-12T19:04:05.760026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-12T19:04:27.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-16T18:24:30.556Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/12/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/14/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/14/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/5"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/7"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://launchpad.net/ubuntu/",
          "defaultStatus": "unaffected",
          "packageName": "openssh",
          "product": "openssh",
          "repo": "https://launchpad.net/ubuntu/+source/openssh",
          "vendor": "Ubuntu",
          "versions": [
            {
              "lessThan": "1:10.0p1-5ubuntu5.1",
              "status": "affected",
              "version": "1:10.0p1-5ubuntu5",
              "versionType": "dpkg"
            },
            {
              "lessThan": "1:9.6p1-3ubuntu13.15",
              "status": "affected",
              "version": "1:9.6p1-3ubuntu13",
              "versionType": "dpkg"
            },
            {
              "lessThan": "1:8.9p1-3ubuntu0.14",
              "status": "affected",
              "version": "1:8.9p1-3",
              "versionType": "dpkg"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jeremy Brown"
        }
      ],
      "datePublic": "2026-03-12T18:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-908",
              "description": "CWE-908 Use of Uninitialized Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T18:44:06.073Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://ubuntu.com/security/CVE-2026-3497"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/03/12/3"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-3497",
    "datePublished": "2026-03-12T18:27:44.917Z",
    "dateReserved": "2026-03-03T19:33:05.664Z",
    "dateUpdated": "2026-04-16T18:24:30.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:5475

CVE-2025-61984 (GCVE-0-2025-61984)

CVE-2025-61985 (GCVE-0-2025-61985)

CVE-2026-3497 (GCVE-0-2026-3497)

Tags

Sightings

Nomenclature