OpenSSH GSSAPI: Uninitialized Variables via sshpkt_disconnect
CVE-2026-3497 Published on March 12, 2026
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Vulnerability Analysis
CVE-2026-3497 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a high impact on availability.
Weakness Types
Use of Uninitialized Resource
The software uses or accesses a resource that has not been initialized. When a resource has not been properly initialized, the software may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the software.
Access of Uninitialized Pointer
The program accesses or uses a pointer that has not been initialized.
Products Associated with CVE-2026-3497
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-3497 are published in these products:
Affected Versions
Ubuntu openssh:- Version 1:10.0p1-5ubuntu5 and below 1:10.0p1-5ubuntu5.1 is affected.
- Version 1:9.6p1-3ubuntu13 and below 1:9.6p1-3ubuntu13.15 is affected.
- Version 1:8.9p1-3 and below 1:8.9p1-3ubuntu0.14 is affected.
- Version 0:9.9p1-13.el10_1 and below * is unaffected.
- Version 0:9.9p1-7.el10_0.2 and below * is unaffected.
- Version 0:8.0p1-28.el8_10 and below * is unaffected.
- Version 0:8.0p1-7.el8_4.1 and below * is unaffected.
- Version 0:8.0p1-7.el8_4.1 and below * is unaffected.
- Version 0:8.0p1-15.el8_6.4 and below * is unaffected.
- Version 0:8.0p1-15.el8_6.4 and below * is unaffected.
- Version 0:8.0p1-15.el8_6.4 and below * is unaffected.
- Version 0:8.0p1-20.el8_8.3 and below * is unaffected.
- Version 0:8.0p1-20.el8_8.3 and below * is unaffected.
- Version 0:8.7p1-48.el9_7 and below * is unaffected.
- Version 0:8.7p1-13.el9_0.2 and below * is unaffected.
- Version 0:8.7p1-30.el9_2.10 and below * is unaffected.
- Version 0:8.7p1-38.el9_4.7 and below * is unaffected.
- Version 0:8.7p1-45.el9_6.2 and below * is unaffected.
- Version 412.86.202605271418-0 and below * is unaffected.
- Version 413.92.202605271328-0 and below * is unaffected.
- Version 414.92.202605060243-0 and below * is unaffected.
- Version 415.92.202605060220-0 and below * is unaffected.
- Version 416.94.202605200242-0 and below * is unaffected.
- Version 417.94.202605112123-0 and below * is unaffected.
- Version 418.94.202604240015-0 and below * is unaffected.
- Version 4.19.9.6.202605201155-0 and below * is unaffected.
- Version 7.13.5-4.1777325677 and below * is unaffected.
- Version 7.13.5-4.1777325711 and below * is unaffected.
- Version 7.13.5-4.1777325710 and below * is unaffected.
- Version 7.13.5-3.1777325680 and below * is unaffected.
- Version 7.13.5-4.1777325709 and below * is unaffected.
- Version 7.13.5-4.1777325680 and below * is unaffected.
- Version 7.13.5-4.1777325708 and below * is unaffected.
- Version 1779223654 and below * is unaffected.
- Version 1779223651 and below * is unaffected.
- Version 1780681984 and below * is unaffected.
- Version 1778244559 and below * is unaffected.
- Version 1778244531 and below * is unaffected.
- Version 1778274666 and below * is unaffected.
- Version 1778244546 and below * is unaffected.
- Version 10.2p1-9.hum1 and below * is unaffected.
- Version 1776868772 and below * is unaffected.
- Version 1776868842 and below * is unaffected.
- Version V3.1.6 and below * is affected.
- Version V3.1.6 and below * is affected.
- Version V3.1.6 and below * is affected.
- Version V3.1.6 and below * is affected.
- Version V3.1.6 and below * is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.