Critical OpenSSH GSSAPI Vulnerability (CVE-2026-3497) Exposes Linux Systems to Remote Crashes and Privilege Escalation Risks
A severe vulnerability in the GSSAPI Key Exchange implementation of OpenSSH, tracked as CVE-2026-3497, has been discovered by security researcher Jeremy Brown. The flaw affects multiple Linux distributions that applied the GSSAPI patch to their OpenSSH packages, enabling attackers to crash SSH child processes reliably and violate privilege separation boundaries with a single crafted network packet.
The issue originates from a one-line coding error in kexgsss.c, the server-side GSSAPI key exchange handler. The function sshpkt_disconnect() intended to queue a disconnect message was mistakenly used instead of ssh_packet_disconnect(), which terminates the process. This oversight causes the error handler to proceed into code that reads an uninitialized stack variable (recv_tok), whose contents are then passed to the privileged monitor process via IPC. The result is heap corruption when gss_release_buffer() attempts to free a garbage pointer.
Key details of the vulnerability include:
- Exploitation requirements: A single 300-byte SSH packet no authentication needed.
- Impact: 100% reliable crashes of SSH child processes on tested systems, with a 90-second lockout on x86_64 platforms. Crashes may trigger SIGABRT (signal 6) or SIGSEGV (signal 11).
- Privilege separation risk: Up to 127KB of heap data can be transmitted to the root-level monitor process via the privsep IPC channel, potentially enabling further exploitation.
- Variability across systems: Compiler flags and optimizations affect the severity. For example:
- Clang (-O0): Leaves a pointer value of
0xfffbe600(4 bytes). - GCC (-O2 -fno-stack-protector): Leaves a valid heap address (127,344 bytes).
- Tested configurations:
recv_tok.valuemay point to NULL, stack/heap addresses, or unmapped memory.
- Clang (-O0): Leaves a pointer value of
Affected systems include Ubuntu and Debian servers with GSSAPIKeyExchange enabled, though the scope likely extends to other distributions due to variations in the GSSAPI KEX patch. The fix is straightforward: replacing all instances of sshpkt_disconnect() with ssh_packet_disconnect() in kexgsss.c. Ubuntu has already released a patch, and administrators are advised to apply updates or disable GSSAPIKeyExchange as a temporary mitigation.
Source: https://cybersecuritynews.com/openssh-gssapi-vulnerability/
Canonical cybersecurity rating report: https://www.rankiteo.com/company/canonical
Debian cybersecurity rating report: https://www.rankiteo.com/company/debian
"id": "CANDEB1773375831",
"linkid": "canonical, debian",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology',
'name': 'Ubuntu',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'Debian',
'type': 'Operating System'}],
'attack_vector': 'Network',
'data_breach': {'sensitivity_of_data': 'Potentially sensitive system data',
'type_of_data_compromised': 'Heap data (up to 127KB)'},
'description': 'A severe vulnerability in the GSSAPI Key Exchange '
'implementation of OpenSSH, tracked as CVE-2026-3497, has been '
'discovered by security researcher Jeremy Brown. The flaw '
'affects multiple Linux distributions that applied the GSSAPI '
'patch to their OpenSSH packages, enabling attackers to crash '
'SSH child processes reliably and violate privilege separation '
'boundaries with a single crafted network packet. The issue '
'originates from a one-line coding error in kexgsss.c, causing '
'heap corruption when gss_release_buffer() attempts to free a '
'garbage pointer.',
'impact': {'data_compromised': 'Heap data (up to 127KB) transmitted to '
'root-level monitor process',
'downtime': '90-second lockout on x86_64 platforms',
'operational_impact': 'SSH child process crashes, potential '
'privilege escalation risks',
'systems_affected': 'Linux systems with GSSAPIKeyExchange enabled '
'(Ubuntu, Debian, and likely others)'},
'post_incident_analysis': {'corrective_actions': 'Replace all instances of '
'sshpkt_disconnect() with '
'ssh_packet_disconnect() in '
'kexgsss.c.',
'root_causes': 'One-line coding error in kexgsss.c '
'(sshpkt_disconnect() used instead '
'of ssh_packet_disconnect()) '
'leading to uninitialized stack '
'variable usage and heap '
'corruption.'},
'recommendations': 'Apply patches immediately or disable GSSAPIKeyExchange as '
'a temporary mitigation. Monitor for further updates from '
'Linux distributions.',
'references': [{'source': 'Security Researcher Jeremy Brown'}],
'response': {'containment_measures': 'Disable GSSAPIKeyExchange as a '
'temporary mitigation',
'remediation_measures': 'Apply patches (Ubuntu has released a '
'fix) or replace sshpkt_disconnect() '
'with ssh_packet_disconnect() in '
'kexgsss.c'},
'title': 'Critical OpenSSH GSSAPI Vulnerability (CVE-2026-3497) Exposes Linux '
'Systems to Remote Crashes and Privilege Escalation Risks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-3497 (OpenSSH GSSAPI Key Exchange)'}