RHSA-2026:36759
Vulnerability from csaf_redhat - Published: 2026-07-08 13:09 - Updated: 2026-07-08 13:59A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:openssh-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:openssh-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:openssh-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
CWE-125 - Out-of-bounds ReadA flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:openssh-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:openssh-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:openssh-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nopenssh:\n * openssh-10.3p1-6.hum1 (aarch64, x86_64)\n * openssh-askpass-10.3p1-6.hum1 (aarch64, x86_64)\n * openssh-clients-10.3p1-6.hum1 (aarch64, x86_64)\n * openssh-keycat-10.3p1-6.hum1 (aarch64, x86_64)\n * openssh-keysign-10.3p1-6.hum1 (aarch64, x86_64)\n * openssh-server-10.3p1-6.hum1 (aarch64, x86_64)\n * openssh-sk-dummy-10.3p1-6.hum1 (aarch64, x86_64)\n * openssh-10.3p1-6.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:36759",
"url": "https://access.redhat.com/errata/RHSA-2026:36759"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55655",
"url": "https://access.redhat.com/security/cve/CVE-2026-55655"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55654",
"url": "https://access.redhat.com/security/cve/CVE-2026-55654"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55653",
"url": "https://access.redhat.com/security/cve/CVE-2026-55653"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_36759.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-08T13:59:46+00:00",
"generator": {
"date": "2026-07-08T13:59:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:36759",
"initial_release_date": "2026-07-08T13:09:32+00:00",
"revision_history": [
{
"date": "2026-07-08T13:09:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-08T13:54:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-08T13:59:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "openssh-main@aarch64",
"product": {
"name": "openssh-main@aarch64",
"product_id": "openssh-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openssh@10.3p1-6.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "openssh-main@src",
"product": {
"name": "openssh-main@src",
"product_id": "openssh-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openssh@10.3p1-6.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openssh-main@x86_64",
"product": {
"name": "openssh-main@x86_64",
"product_id": "openssh-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openssh@10.3p1-6.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openssh-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:openssh-main@aarch64"
},
"product_reference": "openssh-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openssh-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:openssh-main@src"
},
"product_reference": "openssh-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openssh-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:openssh-main@x86_64"
},
"product_reference": "openssh-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-55653",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"discovery_date": "2026-04-26T18:54:39+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2462351"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: Double free in Red Hat Enterprise Linux versions of OpenSSH DH-GEX client path during FIPS known-group validation leads to client-side denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in OpenSSH affects clients operating in FIPS mode when negotiating Diffie-Hellman Group Exchange (DH-GEX) with a malicious SSH server. While it can lead to client process termination, resulting in a denial of service, the impact is limited to availability and does not result in broader system compromise. In order to exploit this vulnerability the attacker needs to trick the user to connect to an untrusted malicious server or compromise the server first. The availability impact is considered Low as the only impacted process is the single run of the SSH client trying to connect to the malicious server.\n\nThis vulnerability affects only the OpenSSH versions shipped with Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-55653"
},
{
"category": "external",
"summary": "RHBZ#2462351",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2462351"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-55653",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55653"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55653",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55653"
}
],
"release_date": "2026-06-22T23:17:43.088000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:09:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36759"
},
{
"category": "workaround",
"details": "To mitigate this issue, OpenSSH clients operating in FIPS mode should avoid negotiating the `diffie-hellman-group-exchange-sha256` key exchange algorithm. This can be achieved by explicitly listing allowed key exchange algorithms in the client\u0027s SSH configuration file (e.g., `/etc/ssh/ssh_config` or `~/.ssh/config`), ensuring `diffie-hellman-group-exchange-sha256` is *not* included. For example, to use a subset of common algorithms, you might configure:\n\n```\nKexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\n```\n\n(Note: The above example `KexAlgorithms` list is illustrative and should be adjusted based on your environment\u0027s security requirements.)\n\nAdditionally, avoid using non-fatal client flows, such as `ssh-keyscan`, against untrusted SSH servers while FIPS mode is enabled. Changes to `ssh_config` will take effect for new SSH connections.",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: Double free in Red Hat Enterprise Linux versions of OpenSSH DH-GEX client path during FIPS known-group validation leads to client-side denial of service"
},
{
"cve": "CVE-2026-55654",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2026-04-26T19:17:42+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2462493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: Heap out-of-bounds read in Red Hat Enterprise Linux versions of OpenSSH GSSAPI indicator cleanup due to missing NULL sentinel termination",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated Low. A heap out-of-bounds read in OpenSSH\u0027s GSSAPI authentication component can lead to a denial of service. Exploitation requires `GSSAPIAuthentication` to be explicitly enabled, which is not the default configuration in Red Hat products, and a Kerberos environment providing authenticated `auth-indicators`. The impact is limited to the availability of the SSH authentication process.\n\nThis vulnerability doesn\u0027t affect the upstream OpenSSH versions and is restricted to the versions as shipped with Red Hat Enterprise Linux.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-55654"
},
{
"category": "external",
"summary": "RHBZ#2462493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2462493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-55654",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55654"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55654",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55654"
}
],
"release_date": "2026-06-22T23:18:14.750000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:09:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36759"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssh: Heap out-of-bounds read in Red Hat Enterprise Linux versions of OpenSSH GSSAPI indicator cleanup due to missing NULL sentinel termination"
},
{
"cve": "CVE-2026-55655",
"cwe": {
"id": "CWE-923",
"name": "Improper Restriction of Communication Channel to Intended Endpoints"
},
"discovery_date": "2026-04-26T18:39:13+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2462250"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: Local MITM of X11 forwarding via abstract UNIX socket pre-binding in Red Hat Enterprise Linux OpenSSH client versions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a Moderate severity flaw. The OpenSSH client in Red Hat Enterprise Linux is vulnerable to a local man-in-the-middle attack on X11 forwarding connections. Exploitation requires an attacker to have local unprivileged access on the client system and for X11 forwarding to be explicitly enabled and in use, which is not a default configuration. The attack can compromise the confidentiality of forwarded X11 traffic. This vulnerability doesn\u0027t affect the upstream OpenSSH versions and is restricted to the versions as shipped with Red Hat Enterprise Linux.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-55655"
},
{
"category": "external",
"summary": "RHBZ#2462250",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2462250"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-55655",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55655"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55655",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55655"
}
],
"release_date": "2026-06-22T23:22:11.127000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:09:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36759"
},
{
"category": "workaround",
"details": "To mitigate this issue, disable X11 forwarding on OpenSSH clients when it is not required. This can be achieved by avoiding the use of `-X` or `-Y` options when invoking `ssh`, or by setting `ForwardX11 no` in the SSH client configuration file (`~/.ssh/config` or `/etc/ssh/ssh_config`). Disabling X11 forwarding will prevent the client from attempting to establish X11 connections, thereby removing the attack vector.",
"product_ids": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:openssh-main@aarch64",
"Red Hat Hardened Images:openssh-main@src",
"Red Hat Hardened Images:openssh-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: Local MITM of X11 forwarding via abstract UNIX socket pre-binding in Red Hat Enterprise Linux OpenSSH client versions"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.