The flaw, tracked as CVE-2026-3497, affects systems that use the GSSAPI Key Exchange patch and could allow unauthenticated attackers to trigger denial‑of‑service conditions and cross privilege boundaries.
Security researcher Jeremy Brown originally discovered the issue,
The vulnerability primarily impacts Linux distributions such as Ubuntu and Debian that include the GSSAPI Key Exchange patch in their OpenSSH packages.
The issue originates from an error in the error-handling logic within the GSSAPI Key Exchange (KEX) server loop.
When an error occurs, the code mistakenly calls the function sshpkt_disconnect() instead of the intended ssh_packet_disconnect().
This difference is critical. The ssh_packet_disconnect() function is designed to terminate the connection immediately, while sshpkt_disconnect() only queues a disconnect message and allows the program to continue running.
Because the process is not properly terminated, the program falls through to a default error-handling path.
During this process, the code reads an uninitialized stack variable called recv_tok. The contents of this variable are then sent to the privileged root monitor process using Inter‑Process Communication (IPC).
The variable is subsequently passed to the function gss_release_buffer(), which attempts to free memory using the value stored in the uninitialized variable.
Since the pointer contains unpredictable data, the system attempts to call free() on a garbage memory address, leading to severe memory corruption and immediate process crashes.
Attackers can exploit this flaw without authentication, making it particularly dangerous for internet-facing SSH servers.
Key exploitation characteristics include:
The exact contents of the leaked memory depend on factors such as compiler settings, optimization levels, and build flags, which influence the stack layout during execution.
The vulnerability primarily affects Linux environments where OpenSSH is built with the GSSAPI Key Exchange patch.
Systems are vulnerable if the GSSAPIKeyExchange option is enabled in the SSH server configuration.
Ubuntu and Debian servers are the most commonly impacted because they include this patch in their packaged OpenSSH builds.
Canonical maintainers have already released a patch to fix the issue. The correction involves replacing the incorrect sshpkt_disconnect() call with the proper ssh_packet_disconnect() function at three vulnerable server-side locations within the kexgsss.c source file.
Administrators are strongly advised to update their OpenSSH packages as soon as patches become available through their distribution’s security updates.
For systems that cannot be patched immediately, administrators can mitigate the risk by disabling the GSSAPIKeyExchange option in the SSH daemon configuration.
This prevents the vulnerable code path from being triggered and protects systems until official updates are applied.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post New OpenSSH Flaw in GSSAPI Authentication Can Trigger SSH Process Crashes appeared first on Cyber Security News.
The Michigan synagogue that came under attack this week when an armed man drove his car into…
They look like your average open earbuds, but with optional RGB LED effects. | Photo…
200 Years Ago By virtue of a warrant from the selectmen of the town of…
Ally Connor, back, and Eva Dentremont, bottom, lounge with Lincoln on their porch as the…
SOUTHAMPTON — Residents could again be asked to decide whether to approve a Proposition 2½ override…
NORTHAMPTON — From limericks to lighthearted jabs, the Hotel Northampton ballroom was transformed Friday morning…
This website uses cookies.