Skip to main content

SSH EUVDEUVD-2026-18404

| CVE-2026-35388 LOW
Unprotected Alternate Channel (CWE-420)
2026-04-02 cve@mitre.org
2.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.5 LOW
AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
10.3
EUVD ID Assigned
Apr 02, 2026 - 17:22 euvd
EUVD-2026-18404
Analysis Generated
Apr 02, 2026 - 17:22 vuln.today
CVE Published
Apr 02, 2026 - 17:16 nvd
LOW 2.5

DescriptionCVE.org

OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

AnalysisAI

OpenSSH before 10.3 fails to confirm connection multiplexing in proxy-mode sessions, allowing local attackers with user interaction to bypass intended access controls and potentially manipulate multiplexed connections. The vulnerability affects OpenSSH versions prior to 10.3p1 and requires local access with user interaction (UI:R) on the affected system; while the CVSS score is low (2.5) and integrity impact is limited, the omission of confirmation mechanisms in proxy-mode multiplexing creates a logic flaw that could enable unauthorized session hijacking or redirection in multi-user environments.

Technical ContextAI

OpenSSH implements connection multiplexing to reuse existing SSH sessions, reducing latency and overhead for subsequent connections to the same host. In proxy-mode multiplexing, a master connection acts as a proxy for subsequent connections. The vulnerability stems from CWE-420 (Uninitialized Variable), which in this context manifests as missing confirmation logic that should validate multiplexed connections before accepting proxy-mode requests. The affected versions lack proper handshake verification between the master multiplexing socket and client requests, allowing a local user to potentially inject or redirect multiplexed connections without explicit user confirmation or authorization. This is particularly relevant in shared hosting or multi-user SSH environments where multiple local users share access to the same multiplexing control socket.

RemediationAI

Vendor-released patch: OpenSSH 10.3p1 or later. Administrators should upgrade OpenSSH to version 10.3p1 or newer on all affected systems. The patched version restores the missing confirmation logic for proxy-mode multiplexing sessions, ensuring that multiplexed connections are properly validated before acceptance. For systems that cannot be immediately upgraded, administrators should restrict access to SSH control sockets (typically located in ~/.ssh/ControlPath directories) to prevent unauthorized local users from interacting with multiplexed connections. Refer to the official OpenSSH release notes at https://www.openssh.org/releasenotes.html#10.3p1 and the security discussion on the OpenSSH development mailing list at https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 for additional guidance.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Share

EUVD-2026-18404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy