{ "threat_severity" : "Important", "public_date" : "2026-03-12T18:27:44Z", "bugzilla" : { "description" : "openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables", "id" : "2447085", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2447085" }, "cvss3" : { "cvss3_base_score" : "8.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-824", "details" : [ "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.", "A flaw was found in the OpenSSH GSSAPI (Generic Security Service Application Program Interface) delta patches, as included in various Linux distributions. A remote attacker could exploit this by sending an unexpected GSSAPI message type during the key exchange process. This occurs because the `sshpkt_disconnect()` function, when called on an error, does not properly terminate the process, leading to the continued execution of the program with uninitialized connection variables. Accessing these uninitialized variables can lead to undefined behavior, potentially resulting in information disclosure or a denial of service." ], "statement" : "IMPORTANT: This vulnerability affects the OpenSSH GSSAPI delta as implemented in Red Hat Enterprise Linux and OpenShift Container Platform. An unauthenticated attacker could send a specially crafted GSSAPI message during key exchange, leading to the use of uninitialized variables and potentially undefined behavior. The severity of the impact is dependent on compiler hardening configurations.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6463", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "openssh-0:9.9p1-13.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-04-08T00:00:00Z", "advisory" : "RHSA-2026:7107", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "openssh-0:9.9p1-7.el10_0.2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6461", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "openssh-0:8.0p1-28.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6461", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "openssh-0:8.0p1-28.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:15891", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "openssh-0:8.0p1-7.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:15891", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "openssh-0:8.0p1-7.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:15893", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "openssh-0:8.0p1-15.el8_6.4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:15893", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "openssh-0:8.0p1-15.el8_6.4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:15893", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "openssh-0:8.0p1-15.el8_6.4" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14924", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "openssh-0:8.0p1-20.el8_8.3" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14924", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "openssh-0:8.0p1-20.el8_8.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6462", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "openssh-0:8.7p1-48.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6462", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "openssh-0:8.7p1-48.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13750", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "openssh-0:8.7p1-13.el9_0.2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10714", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "openssh-0:8.7p1-30.el9_2.10" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-04-22T00:00:00Z", "advisory" : "RHSA-2026:9732", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "openssh-0:8.7p1-38.el9_4.7" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-04-21T00:00:00Z", "advisory" : "RHSA-2026:9415", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "openssh-0:8.7p1-45.el9_6.2" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2026-05-13T00:00:00Z", "advisory" : "RHSA-2026:15087", "cpe" : "cpe:/a:redhat:openshift:4.14::el9", "package" : "rhcos-414.92.202605060243-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.15", "release_date" : "2026-05-13T00:00:00Z", "advisory" : "RHSA-2026:14773", "cpe" : "cpe:/a:redhat:openshift:4.15::el9", "package" : "rhcos-415.92.202605060220-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.17", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:17596", "cpe" : "cpe:/a:redhat:openshift:4.17::el9", "package" : "rhcos-417.94.202605112123-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.18", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:12071", "cpe" : "cpe:/a:redhat:openshift:4.18::el9", "package" : "rhcos-418.94.202604240015-0" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-businesscentral-monitoring-rhel8:7.13.5-4.1777325677" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-businesscentral-rhel8:7.13.5-4.1777325711" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-controller-rhel8:7.13.5-4.1777325710" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-dashbuilder-rhel8:7.13.5-3.1777325680" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-kieserver-rhel8:7.13.5-4.1777325709" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-process-migration-rhel8:7.13.5-4.1777325680" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-smartrouter-rhel8:7.13.5-4.1777325708" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19724", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-cuda-rhel9:1779223654" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19725", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-rocm-rhel9:1779223651" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:16008", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/model-opt-cuda-rhel9:1778244559" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:16009", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-rocm-rhel9:1778244531" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:16030", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-cuda-rhel9:1778274666" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16174", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-spyre-rhel9:1778244546" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-03-23T00:00:00Z", "advisory" : "RHSA-2026:5475", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "openssh-main-10.2p1-9.hum1" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10065", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/installer-rhel9:1776868772" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10065", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/rhua-rhel9:1776868842" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "openssh", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "openssh", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-3497\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3497\nhttps://ubuntu.com/security/CVE-2026-3497\nhttps://www.openwall.com/lists/oss-security/2026/03/12/3" ], "name" : "CVE-2026-3497", "mitigation" : { "value" : "To mitigate this issue, disable GSSAPI key exchange in the OpenSSH server configuration. This prevents the server from processing GSSAPI messages, eliminating the vulnerability's attack surface.\nEdit `/etc/ssh/sshd_config` and add or modify the line:\n```\nGSSAPIKeyExchange no\n```\nAfter saving the changes, restart the `sshd` service for the mitigation to take effect. This action will prevent users from authenticating via GSSAPI.\n```\n# systemctl restart sshd\n```", "lang" : "en:us" }, "csaw" : false }