OpenSSH <10.3: Missing confirmation in proxymode multiplexing
CVE-2026-35388 Published on April 2, 2026
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
Vulnerability Analysis
CVE-2026-35388 is exploitable with local system access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Unprotected Alternate Channel
The software protects a primary channel, but it does not use the same level of protection for an alternate channel.
Products Associated with CVE-2026-35388
stack.watch emails you whenever new vulnerabilities are published in OpenBSD OpenSSH or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
OpenBSD OpenSSH:- Before 10.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.