CVE-2026-3497

Low

Low Medium High Critical

CVSS Score

Published: Mar 12, 2026

Last Modified: Apr 16, 2026

Vulnerability Description

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Available Security Patches

3 patches available from vendors

View All Patches

SUSE

CVE-2026-3497

Severity

Unknown

Released

Apr 16, 2026

Security Update

View Details Vendor Page

Canonical (Ubuntu)

USN-8090-2

USN-8090-2: OpenSSH vulnerabilities

Severity

Unknown

Released

Mar 12, 2026

Security Update

View Details Vendor Page

Canonical (Ubuntu)

USN-8090-1

USN-8090-1: OpenSSH vulnerabilities

Severity

Unknown

Released

Mar 12, 2026

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-908

Use of Uninitialized Resource

Description: The product uses or accesses a resource that has not been initialized.
Exploit Likelihood: Medium
Typical Severity: High
Abstraction Level: Base