CVE-2026-3497

Name: CVE-2026-3497
Creator: NVD / NIST
Published: 2026-03-12T19:16:19.91+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.9/10EPSS 1.96%

Last modified Jun 17, 2026

CVE-2026-3497 is a medium-severity vulnerability rated 6.9/10 on the CVSS scale. Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. EPSS estimates a 1.96% chance of exploitation in the next 30 days.

Description

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0

6.9/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

1.96%

77.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-908

Affected Software

Vendor	Product	Versions
Canonical	Ubuntu Linux	25.10
Openbsd	Openssh	All versions
Canonical	Ubuntu Linux	20.04
Canonical	Ubuntu Linux	22.04
Canonical	Ubuntu Linux	24.04
Debian	Debian Linux	11.0
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux	9.0
Redhat	Enterprise Linux	10.0

References

https://ubuntu.com/security/CVE-2026-3497Third Party Advisory
https://www.openwall.com/lists/oss-security/2026/03/12/3Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/12/3Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/14/3Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/14/4Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/18/2Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/18/4Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/18/5Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/18/7Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2026/04/msg00014.htmlMailing List, Third Party Advisory

Timeline

Published: Mar 12, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-3497?

How severe is CVE-2026-3497?

CVE-2026-3497 has a CVSS score of 6.9/10 (MEDIUM severity). The EPSS model estimates a 1.96% probability of exploitation in the next 30 days.

How do I fix CVE-2026-3497?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-3497?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST