CVE-2026-3497 (GCVE-0-2026-3497)

Vulnerability from cvelistv5 – Published: 2026-03-12 18:27 – Updated: 2026-04-16 18:24
VLAI?
Summary
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Severity ?
2.7 (Low)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CWE
  • CWE-908 - Use of Uninitialized Resource
Assigner
References
Impacted products
Vendor Product Version
Ubuntu openssh Affected: 1:10.0p1-5ubuntu5 , < 1:10.0p1-5ubuntu5.1 (dpkg)
Affected: 1:9.6p1-3ubuntu13 , < 1:9.6p1-3ubuntu13.15 (dpkg)
Affected: 1:8.9p1-3 , < 1:8.9p1-3ubuntu0.14 (dpkg)
Create a notification for this product.
Date Public ?
2026-03-12 18:00
Credits
Jeremy Brown
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3497",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-12T19:04:05.760026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-12T19:04:27.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-16T18:24:30.556Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/12/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/14/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/14/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/5"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/7"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://launchpad.net/ubuntu/",
          "defaultStatus": "unaffected",
          "packageName": "openssh",
          "product": "openssh",
          "repo": "https://launchpad.net/ubuntu/+source/openssh",
          "vendor": "Ubuntu",
          "versions": [
            {
              "lessThan": "1:10.0p1-5ubuntu5.1",
              "status": "affected",
              "version": "1:10.0p1-5ubuntu5",
              "versionType": "dpkg"
            },
            {
              "lessThan": "1:9.6p1-3ubuntu13.15",
              "status": "affected",
              "version": "1:9.6p1-3ubuntu13",
              "versionType": "dpkg"
            },
            {
              "lessThan": "1:8.9p1-3ubuntu0.14",
              "status": "affected",
              "version": "1:8.9p1-3",
              "versionType": "dpkg"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jeremy Brown"
        }
      ],
      "datePublic": "2026-03-12T18:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-908",
              "description": "CWE-908 Use of Uninitialized Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T18:44:06.073Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://ubuntu.com/security/CVE-2026-3497"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/03/12/3"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-3497",
    "datePublished": "2026-03-12T18:27:44.917Z",
    "dateReserved": "2026-03-03T19:33:05.664Z",
    "dateUpdated": "2026-04-16T18:24:30.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-3497",
      "date": "2026-05-14",
      "epss": "0.00035",
      "percentile": "0.10415"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-3497\",\"sourceIdentifier\":\"security@ubuntu.com\",\"published\":\"2026-03-12T19:16:19.910\",\"lastModified\":\"2026-04-16T19:16:34.113\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad en el delta GSSAPI de OpenSSH incluida en varias distribuciones de Linux. Esta vulnerabilidad afecta a los parches GSSAPI a\u00f1adidos por varias distribuciones de Linux y no afecta al proyecto upstream de OpenSSH en s\u00ed. El uso de sshpkt_disconnect() en caso de error, que no termina el proceso, permite a un atacante enviar un tipo de mensaje GSSAPI inesperado durante el intercambio de claves GSSAPI al servidor, lo que llamar\u00e1 a la funci\u00f3n subyacente y continuar\u00e1 la ejecuci\u00f3n del programa sin establecer las variables de conexi\u00f3n relacionadas. Como las variables no se inicializan a NULL, el c\u00f3digo accede posteriormente a esas variables no inicializadas, accediendo a memoria aleatoria, lo que podr\u00eda llevar a un comportamiento indefinido. La soluci\u00f3n alternativa recomendada es usar ssh_packet_disconnect() en su lugar, que s\u00ed termina el proceso. El impacto de la vulnerabilidad depende en gran medida de la configuraci\u00f3n de endurecimiento de las banderas del compilador.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@ubuntu.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security@ubuntu.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"references\":[{\"url\":\"https://ubuntu.com/security/CVE-2026-3497\",\"source\":\"security@ubuntu.com\"},{\"url\":\"https://www.openwall.com/lists/oss-security/2026/03/12/3\",\"source\":\"security@ubuntu.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/12/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/14/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/14/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/18/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/18/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/18/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/18/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/12/3\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/14/3\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/14/4\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/18/2\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/18/4\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/18/5\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/18/7\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-16T18:24:30.556Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3497\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T19:04:05.760026Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T19:04:10.900Z\"}}], \"cna\": {\"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jeremy Brown\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://launchpad.net/ubuntu/+source/openssh\", \"vendor\": \"Ubuntu\", \"product\": \"openssh\", \"versions\": [{\"status\": \"affected\", \"version\": \"1:10.0p1-5ubuntu5\", \"lessThan\": \"1:10.0p1-5ubuntu5.1\", \"versionType\": \"dpkg\"}, {\"status\": \"affected\", \"version\": \"1:9.6p1-3ubuntu13\", \"lessThan\": \"1:9.6p1-3ubuntu13.15\", \"versionType\": \"dpkg\"}, {\"status\": \"affected\", \"version\": \"1:8.9p1-3\", \"lessThan\": \"1:8.9p1-3ubuntu0.14\", \"versionType\": \"dpkg\"}], \"packageName\": \"openssh\", \"collectionURL\": \"https://launchpad.net/ubuntu/\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-03-12T18:00:00.000Z\", \"references\": [{\"url\": \"https://ubuntu.com/security/CVE-2026-3497\", \"tags\": [\"vdb-entry\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2026/03/12/3\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-908\", \"description\": \"CWE-908 Use of Uninitialized Resource\"}]}], \"providerMetadata\": {\"orgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"shortName\": \"canonical\", \"dateUpdated\": \"2026-03-12T18:44:06.073Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-3497\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-16T18:24:30.556Z\", \"dateReserved\": \"2026-03-03T19:33:05.664Z\", \"assignerOrgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"datePublished\": \"2026-03-12T18:27:44.917Z\", \"assignerShortName\": \"canonical\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.