OpenSSH GSSAPI Vulnerability Allow an Attacker to Crash SSH Child Processes
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A significant vulnerability in the GSSAPI Key Exchange patch was applied by numerous Linux distributions on top of their OpenSSH packages.<\/p>\n
The flaw, tracked as CVE-2026-3497, was uncovered by security researcher Jeremy Brown. It allows an attacker to crash SSH child processes reliably and potentially violates privilege separation boundaries, all with a single crafted network packet.<\/p>\n
The vulnerability stems from a one-line code defect inside Because The contents of that variable are then sent to the privileged monitor process over IPC and passed to Brown\u2019s analysis classifies the bug<\/a> under CWE-824 (access of an uninitialized pointer) and CWE-908 (use of an uninitialized resource). Key impact details include:<\/p>\n The severity of the vulnerability varies considerably across distributions due to differing compiler options and optimization flags. Clang compiled with An eight-build test matrix confirmed that Systems running Ubuntu and Debian OpenSSH servers with The fix is straightforward: replace all three instances of Administrators running OpenSSH<\/a> with GSSAPI key exchange enabled should apply available distribution updates immediately or disable Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post OpenSSH GSSAPI Vulnerability Allow an Attacker to Crash SSH Child Processes<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nkexgsss.c<\/code>, the server-side GSSAPI key exchange handler. A non-terminating function, sshpkt_disconnect()<\/code>, was used in the default error-handling case where the process-terminating ssh_packet_disconnect()<\/code> was actually intended.<\/p>\nsshpkt_disconnect()<\/code> only queues a disconnect message and returns rather than halting execution, the error handler falls through into code that reads an uninitialized stack variable called recv_tok<\/code>.<\/p>\nOpenSSH GSSAPI Vulnerability<\/strong><\/h2>\n
gss_release_buffer()<\/code>, which may call free()<\/code> on a garbage pointer resulting in confirmed heap corruption.<\/p>\n\n
-O0<\/code> leaves a pointer value of 0xfffbe600<\/code> with a length of 4 bytes, while GCC compiled with -O2 -fno-stack-protector<\/code> leaves a valid heap address with a length of 127,344 bytes.<\/p>\nrecv_tok.value<\/code> can range from NULL to stack addresses, heap addresses, or entirely unmapped memory regions.<\/p>\nGSSAPIKeyExchange yes<\/code> enabled are confirmed to be potentially affected. Because several different versions of the GSSAPI KEX patch are in circulation across the Linux ecosystem, the scope of impact likely extends beyond these two distributions.<\/p>\nsshpkt_disconnect()<\/code> with ssh_packet_disconnect()<\/code> at the server-side call sites within kexgsss.c<\/code>. Ubuntu has already prepared a patch addressing this issue.<\/p>\nGSSAPIKeyExchange<\/code> as a temporary mitigation.<\/p>\n