Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Local-only attack requiring low-privilege account, race/pre-binding complexity, victim-initiated X11 session, and no availability impact independently support each metric choice.
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
AnalysisAI
X11 forwarding session hijacking in OpenSSH enables a local unprivileged attacker sharing a Linux client host to intercept and partially manipulate the victim's forwarded X11 display traffic by squatting on the predictable abstract UNIX domain socket name before the SSH client creates it. Affected deployments span OpenSSH packages across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | X11 forwarding must be explicitly enabled for the SSH client session - either via 'ForwardX11 yes' or 'ForwardX11Trusted yes' in ssh_config, or via the -X or -Y command-line flags. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.0 with vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N captures the real-world risk reasonably well. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious unprivileged employee or contractor with a shell account on a shared Linux developer jump host monitors for peer SSH activity and pre-binds the predictable abstract UNIX domain socket name used by OpenSSH X11 forwarding before a privileged colleague initiates their SSH session with X11 enabled. The colleague's SSH client, finding the intended abstract socket already bound, routes the X11 forwarding channel through the attacker-controlled endpoint, giving the attacker a real-time view of the colleague's X11 session including passwords typed in terminal emulators, browser content displayed in X applications, and the ability to inject limited input into the session. |
| Remediation | Consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-55655 for the patched OpenSSH package version, as no specific fixed version number has been confirmed in the available intelligence - patch availability per vendor advisory should be assumed pending confirmation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same technique Information Disclosure
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | undetermined | 1:8.4p1-5+deb11u3 | - |
| bullseye (security) | undetermined | 1:8.4p1-5+deb11u7 | - |
| bookworm | undetermined | 1:9.2p1-2+deb12u10 | - |
| bookworm (security) | undetermined | 1:9.2p1-2+deb12u9 | - |
| trixie | undetermined | 1:10.0p1-7+deb13u4 | - |
| trixie (security) | undetermined | 1:10.0p1-7+deb13u2 | - |
| forky, sid | undetermined | 1:10.3p1-4 | - |
| (unstable) | fixed | undetermined | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38413
GHSA-wcvf-3x75-j4c6