OpenSSH GSSAPI: Uninitialized Variables via sshpkt_disconnect
CVE-2026-3497 Published on March 12, 2026
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Weakness Type
Use of Uninitialized Resource
The software uses or accesses a resource that has not been initialized. When a resource has not been properly initialized, the software may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the software.
Products Associated with CVE-2026-3497
Want to know whenever a new CVE is published for Canonical Ubuntu Linux? stack.watch will email you.
Affected Versions
Ubuntu openssh:- Version 1:10.0p1-5ubuntu5 and below 1:10.0p1-5ubuntu5.1 is affected.
- Version 1:9.6p1-3ubuntu13 and below 1:9.6p1-3ubuntu13.15 is affected.
- Version 1:8.9p1-3 and below 1:8.9p1-3ubuntu0.14 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.