Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
AnalysisAI
OpenSSH before 10.3 fails to confirm connection multiplexing in proxy-mode sessions, allowing local attackers with user interaction to bypass intended access controls and potentially manipulate multiplexed connections. The vulnerability affects OpenSSH versions prior to 10.3p1 and requires local access with user interaction (UI:R) on the affected system; while the CVSS score is low (2.5) and integrity impact is limited, the omission of confirmation mechanisms in proxy-mode multiplexing creates a logic flaw that could enable unauthorized session hijacking or redirection in multi-user environments.
Technical ContextAI
OpenSSH implements connection multiplexing to reuse existing SSH sessions, reducing latency and overhead for subsequent connections to the same host. In proxy-mode multiplexing, a master connection acts as a proxy for subsequent connections. The vulnerability stems from CWE-420 (Uninitialized Variable), which in this context manifests as missing confirmation logic that should validate multiplexed connections before accepting proxy-mode requests. The affected versions lack proper handshake verification between the master multiplexing socket and client requests, allowing a local user to potentially inject or redirect multiplexed connections without explicit user confirmation or authorization. This is particularly relevant in shared hosting or multi-user SSH environments where multiple local users share access to the same multiplexing control socket.
RemediationAI
Vendor-released patch: OpenSSH 10.3p1 or later. Administrators should upgrade OpenSSH to version 10.3p1 or newer on all affected systems. The patched version restores the missing confirmation logic for proxy-mode multiplexing sessions, ensuring that multiplexed connections are properly validated before acceptance. For systems that cannot be immediately upgraded, administrators should restrict access to SSH control sockets (typically located in ~/.ssh/ControlPath directories) to prevent unauthorized local users from interacting with multiplexed connections. Refer to the official OpenSSH release notes at https://www.openssh.org/releasenotes.html#10.3p1 and the security discussion on the OpenSSH development mailing list at https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 for additional guidance.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-420 – Unprotected Alternate Channel
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18404