OpenSSH GSSAPI Vulnerability Allow an Attacker to Crash SSH Child Processes

Many Linux distributions installed the GSSAPI Key Exchange patch on top of their OpenSSH packages, which had a major security hole This article explores ssh_packet_disconnect error handler. . Security researcher Jeremy Brown found the flaw, which is known as CVE-2026-3497.

With just one carefully crafted network packet, an attacker can reliably crash SSH child processes and possibly break privilege separation boundaries. The flaw that makes this possible is a one-line code error in kexgsss.c, which is the server-side GSSAPI key exchange handler. In the default error-handling case, the non-terminating function sshpkt_disconnect() was used instead of the process-terminating function ssh_packet_disconnect(). The error handler goes to code that reads an uninitialized stack variable called recv_tok because sshpkt_disconnect() only queues a disconnect message and returns instead of stopping execution.

OpenSSH GSSAPI Security Hole Then, the contents of that variable are sent to the privileged monitor process over IPC and given to gss_release_buffer(). This function could call free() on a garbage pointer, which would cause confirmed heap corruption. Brown's analysis puts the bug in the categories of CWE-824 (access of an uninitialized pointer) and CWE-908 (use of an uninitialized resource).

Important details about the impact are: A single crafted SSH packet of about 300 bytes is enough to exploit the flaw; no credentials are needed. On x86_64 systems, exploitation causes SIGABRT (signal 6) or SIGSEGV (signal 11) and locks out SSH for 90 seconds. In tested setups, child process crashes are always reliable.

The privsep IPC channel can send up to 127KB of heap data to the root-level monitor process, which is a serious breach of the privilege separation boundary. The severity of the vulnerability changes a lot between distributions because of different compiler options and optimization flags. Clang compiled with -O0 leaves a pointer value of 0xfffbe600 with a length of 4 bytes. GCC compiled with -O2 -fno-stack-protector leaves a valid heap address with a length of 127,344 bytes.

An eight-build test matrix verified that recv_tok.The value can be anything from NULL to stack addresses, heap addresses, or memory regions that aren't mapped at all. OpenSSH servers with GSSAPI on Ubuntu and Debian systemsKeyExchange yes enabled is confirmed to be possibly affected. There are a lot of different versions of the GSSAPI KEX patch floating around in the Linux ecosystem, so the effects are probably more widespread than just these two distributions.

The fix is simple: at the server-side call sites in kexgsss, change all three instances of sshpkt_disconnect() to ssh_packet_disconnect().c. Ubuntu has already made a patch to fix this problem. If you're an administrator running OpenSSH with GSSAPI key exchange turned on, you should either apply any available distribution updates right away or turn off GSSAPI.KeyExchange as a short-term fix., LinkedIn, and X for daily news about cybersecurity.

Get in touch with us to have your stories featured.