Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Non-default Kerberos/GSSAPI configuration required justifies AC:H; no auth needed to attempt trigger (PR:N); impact is partial availability only (A:L), no C or I.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
AnalysisAI
OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent non-default conditions: (1) GSSAPIAuthentication must be set to 'yes' in the target server's sshd_config - this is disabled by default in most OpenSSH distributions including RHEL - and (2) a functional Kerberos environment must be integrated with the SSH server, including a reachable KDC and properly configured keytab. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 base score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L accurately characterizes this as a low-priority issue for most organizations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies an SSH server on a RHEL host with GSSAPIAuthentication enabled and a reachable Kerberos KDC. The attacker initiates a crafted GSSAPI authentication exchange designed to leave the auth-indicators array without a NULL terminator, causing the sshd cleanup routine to perform a heap out-of-bounds read. … |
| Remediation | No specific patched package version has been confirmed in the available data - monitor https://access.redhat.com/security/cve/CVE-2026-55654 and apply Red Hat security errata via 'dnf update openssh' once released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | undetermined | 1:8.4p1-5+deb11u3 | - |
| bullseye (security) | undetermined | 1:8.4p1-5+deb11u7 | - |
| bookworm | undetermined | 1:9.2p1-2+deb12u10 | - |
| bookworm (security) | undetermined | 1:9.2p1-2+deb12u9 | - |
| trixie | undetermined | 1:10.0p1-7+deb13u4 | - |
| trixie (security) | undetermined | 1:10.0p1-7+deb13u2 | - |
| forky, sid | undetermined | 1:10.3p1-4 | - |
| (unstable) | fixed | undetermined | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38414
GHSA-5mx2-7g4j-9m39