Skip to main content

Severity by source

Vendor (redhat) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

Non-default Kerberos/GSSAPI configuration required justifies AC:H; no auth needed to attempt trigger (PR:N); impact is partial availability only (A:L), no C or I.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 23, 2026 - 04:16 vuln.today
CVE Published
Jun 23, 2026 - 03:37 cve.org
LOW 3.7

DescriptionCVE.org

A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.

AnalysisAI

OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify SSH server with GSSAPI/Kerberos enabled
Delivery
Initiate GSSAPI authentication exchange
Exploit
Supply auth-indicators array missing NULL terminator
Execution
Trigger heap out-of-bounds read during sshd cleanup
Persist
Crash SSH authentication handler
Impact
SSH service unavailable to legitimate users

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent non-default conditions: (1) GSSAPIAuthentication must be set to 'yes' in the target server's sshd_config - this is disabled by default in most OpenSSH distributions including RHEL - and (2) a functional Kerberos environment must be integrated with the SSH server, including a reachable KDC and properly configured keytab. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L accurately characterizes this as a low-priority issue for most organizations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies an SSH server on a RHEL host with GSSAPIAuthentication enabled and a reachable Kerberos KDC. The attacker initiates a crafted GSSAPI authentication exchange designed to leave the auth-indicators array without a NULL terminator, causing the sshd cleanup routine to perform a heap out-of-bounds read. …
Remediation No specific patched package version has been confirmed in the available data - monitor https://access.redhat.com/security/cve/CVE-2026-55654 and apply Red Hat security errata via 'dnf update openssh' once released. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Vendor StatusVendor

Debian

openssh
Release Status Fixed Version Urgency
bullseye undetermined 1:8.4p1-5+deb11u3 -
bullseye (security) undetermined 1:8.4p1-5+deb11u7 -
bookworm undetermined 1:9.2p1-2+deb12u10 -
bookworm (security) undetermined 1:9.2p1-2+deb12u9 -
trixie undetermined 1:10.0p1-7+deb13u4 -
trixie (security) undetermined 1:10.0p1-7+deb13u2 -
forky, sid undetermined 1:10.3p1-4 -
(unstable) fixed undetermined -

Share

CVE-2026-55654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy