A newly discovered vulnerability in OpenSSH is putting several Linux distributions at risk, allowing attackers to crash SSH processes with a single malicious packet This article explores discovered vulnerability openssh. . The flaw, tracked as CVE-2026-3497, affects systems that use the GSSAPI Key Exchange patch and could allow unauthenticated attackers to trigger denial‑of‑service conditions and cross privilege boundaries.

Security researcher Jeremy Brown originally discovered the issue, which was later disclosed to the open-source security community by Canonical security engineer Marc Deslauriers. The vulnerability primarily impacts Linux distributions such as Ubuntu and Debian that include the GSSAPI Key Exchange patch in their OpenSSH packages. Root Cause of the Vulnerability The issue originates from an error in the error-handling logic within the GSSAPI Key Exchange (KEX) server loop.

The code mistakenly calls the function sshpkt_disconnect() instead of the correct one, ssh_packet_disconnect(), when an error happens. This difference is very important. The ssh_packet_disconnect() function is meant to end the connection right away, but sshpkt_disconnect() only puts a disconnect message in the queue and lets the program keep running.

The program goes to a default error-handling path because the process isn't finished correctly. The code reads an uninitialized stack variable called recv_tok during this process. Then, Inter-Process Communication (IPC) sends the contents of this variable to the privileged root monitor process. Then, the variable is passed to the function gss_release_buffer(), which tries to free memory using the value that was stored in the variable that was not initialized.

Because the pointer has data that can't be predicted, the system tries to call free() on a memory address that is not valid, which causes serious memory corruption and crashes of the process right away. This flaw lets attackers get in without having to log in, which makes it very dangerous for SSH servers that are open to the internet. Some important things to know about key exploitation are: Zero-click exploitation: Attackers only need to send a specially made SSH packet that is about 300 bytes long.

You don't need to log in or do anything else. Reliable denial-of-service: The flaw always crashes the SSH child process, which usually leads to segmentation faults (SIGSEGV) or abort signals (SIGABRT) on x86_64 systems. Service interruption: Each crash can cause SSH to be temporarily locked out for about 90 seconds.

Concerns about separating privileges: The root monitor process may receive up to 127 KB of potentially sensitive heap memory across privilege boundaries. The exact contents of the leaked memory depend on things like the compiler settings, optimization levels, and build flags, which change the way the stack is laid out while the program is running. The flaw mostly affects Linux systems that use the GSSAPI Key Exchange patch to build OpenSSH.

If the SSH server configuration has the GSSAPIKeyExchange option turned on, the systems are at risk. The most affected servers are Ubuntu and Debian because their packaged OpenSSH builds include this patch. Fix and protect Canonical maintainers have already put out a patch to fix the problem.

Three places in the kexgsss.c source file on the server side that are vulnerable need to have the wrong sshpkt_disconnect() call replaced with the right ssh_packet_disconnect() function. It is very important that administrators update their OpenSSH packages as soon as patches are made available through their distribution's security updates. If a system can't be patched right away, administrators can lower the risk by turning off the GSSAPIKeyExchange option in the SSH daemon configuration.

This prevents the vulnerable code path from being triggered and protects systems until official updates are applied.