rpm package

almalinux/openssh

pkg:rpm/almalinux/openssh

Vulnerabilities (18)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-35414	Med	4.2	< 9.9p1-14.el10_1.alma.1	9.9p1-14.el10_1.alma.1	Apr 2, 2026	OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
CVE-2026-35388	Low	2.5	< 9.9p1-14.el10_1.alma.1	9.9p1-14.el10_1.alma.1	Apr 2, 2026	OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
CVE-2026-35387	Low	3.1	< 9.9p1-14.el10_1.alma.1	9.9p1-14.el10_1.alma.1	Apr 2, 2026	OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
CVE-2026-35386	Low	3.6	< 9.9p1-14.el10_1.alma.1	9.9p1-14.el10_1.alma.1	Apr 2, 2026	In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
CVE-2026-35385	Hig	7.5	< 9.9p1-14.el10_1.alma.1	9.9p1-14.el10_1.alma.1	Apr 2, 2026	In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
CVE-2026-3497	Hig	7.5	< 8.0p1-28.el8_10	8.0p1-28.el8_10	Mar 12, 2026	Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does
CVE-2025-61985	Low	3.6	< 9.9p1-12.el10_1.alma.1	9.9p1-12.el10_1.alma.1	Oct 6, 2025	ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
CVE-2025-61984	Low	3.6	< 9.9p1-12.el10_1.alma.1	9.9p1-12.el10_1.alma.1	Oct 6, 2025	ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file
CVE-2025-32728		—	< 9.9p1-11.el10.alma.1	9.9p1-11.el10.alma.1	Apr 10, 2025	In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
CVE-2025-26465	Med	6.8	< 8.0p1-26.el8_10	8.0p1-26.el8_10	Feb 18, 2025	A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying
CVE-2024-6409	Hig	7.0	< 8.7p1-38.el9_4.4	8.7p1-38.el9_4.4	Jul 8, 2024	A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions tha
CVE-2024-6387	Hig	8.1	< 8.7p1-38.el9_4.1	8.7p1-38.el9_4.1	Jul 1, 2024	A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time pe
CVE-2023-51385	Med	6.5	< 8.0p1-19.el8_9.2	8.0p1-19.el8_9.2	Dec 18, 2023	In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in
CVE-2023-48795	Med	5.9	< 8.0p1-19.el8_9.2	8.0p1-19.el8_9.2	Dec 18, 2023	The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
CVE-2023-38408		—	< 8.7p1-30.el9_2	8.7p1-30.el9_2	Jul 20, 2023	The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this is
CVE-2023-25136	Med	6.5	< 8.7p1-29.el9_2	8.7p1-29.el9_2	Feb 3, 2023	OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address
CVE-2021-41617	Hig	7.0	< 8.0p1-13.el8	8.0p1-13.el8	Sep 26, 2021	sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges
CVE-2020-15778		—	< 8.0p1-24.el8	8.0p1-24.el8	Jul 24, 2020	scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that

CVE-2026-35414MedApr 2, 2026
affected < 9.9p1-14.el10_1.alma.1fixed 9.9p1-14.el10_1.alma.1
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
CVE-2026-35388LowApr 2, 2026
affected < 9.9p1-14.el10_1.alma.1fixed 9.9p1-14.el10_1.alma.1
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
CVE-2026-35387LowApr 2, 2026
affected < 9.9p1-14.el10_1.alma.1fixed 9.9p1-14.el10_1.alma.1
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
CVE-2026-35386LowApr 2, 2026
affected < 9.9p1-14.el10_1.alma.1fixed 9.9p1-14.el10_1.alma.1
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
CVE-2026-35385HigApr 2, 2026
affected < 9.9p1-14.el10_1.alma.1fixed 9.9p1-14.el10_1.alma.1
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
CVE-2026-3497HigMar 12, 2026
affected < 8.0p1-28.el8_10fixed 8.0p1-28.el8_10
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does
CVE-2025-61985LowOct 6, 2025
affected < 9.9p1-12.el10_1.alma.1fixed 9.9p1-12.el10_1.alma.1
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
CVE-2025-61984LowOct 6, 2025
affected < 9.9p1-12.el10_1.alma.1fixed 9.9p1-12.el10_1.alma.1
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file
CVE-2025-32728Apr 10, 2025
affected < 9.9p1-11.el10.alma.1fixed 9.9p1-11.el10.alma.1
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
CVE-2025-26465MedFeb 18, 2025
affected < 8.0p1-26.el8_10fixed 8.0p1-26.el8_10
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying
CVE-2024-6409HigJul 8, 2024
affected < 8.7p1-38.el9_4.4fixed 8.7p1-38.el9_4.4
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions tha
CVE-2024-6387HigJul 1, 2024
affected < 8.7p1-38.el9_4.1fixed 8.7p1-38.el9_4.1
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time pe
CVE-2023-51385MedDec 18, 2023
affected < 8.0p1-19.el8_9.2fixed 8.0p1-19.el8_9.2
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in
CVE-2023-48795MedDec 18, 2023
affected < 8.0p1-19.el8_9.2fixed 8.0p1-19.el8_9.2
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
CVE-2023-38408Jul 20, 2023
affected < 8.7p1-30.el9_2fixed 8.7p1-30.el9_2
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this is
CVE-2023-25136MedFeb 3, 2023
affected < 8.7p1-29.el9_2fixed 8.7p1-29.el9_2
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address
CVE-2021-41617HigSep 26, 2021
affected < 8.0p1-13.el8fixed 8.0p1-13.el8
sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges
CVE-2020-15778Jul 24, 2020
affected < 8.0p1-24.el8fixed 8.0p1-24.el8
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that