OpenSSH GSSAPI Flaw Can Be Exploited to Crash SSH Child Processes

By Divya, March 13, 2026

A newly discovered vulnerability in the GSSAPI Key Exchange patch for OpenSSH is putting multiple Linux distributions at risk. Tracked as CVE-2026-3497, the flaw allows unauthenticated attackers to crash SSH child processes using a single crafted packet. This leads to reliable denial-of-service conditions and to privilege separation boundary violations.

The Root Cause of CVE-2026-3497

The vulnerability stems from a fundamental coding error within the error-handling logic of the GSSAPI key exchange (KEX) server loop. When handling an error condition, the code mistakenly calls the non-terminating function sshpkt_disconnect() instead of the intended terminating function ssh_packet_disconnect(). Because the incorrect function only queues a disconnect message and returns rather than killing the process, the program falls through to a default error-handling case. This allows the system to read an uninitialized stack variable named recv_tok. The system then sends the contents of this uninitialized variable to the privileged root monitor process via Inter-Process Communication (IPC) before passing it to gss_release_buffer(). Finally, this function attempts to call free() on a garbage pointer, leading to severe memory corruption.

Key Technical Impacts and Exploitation Details

• Zero-Click Trigger: Attackers do not need valid credentials or authentication to exploit the flaw. It is triggered by sending a single, maliciously crafted SSH packet of approximately 300 bytes.
• Reliable Process Crashes: The bug guarantees a 100% reliable crash of the SSH child process. This typically results in a memory segmentation fault (SIGSEGV) or program abort (SIGABRT) on x86_64 architectures, triggering a 90-second SSH lockout.
• Privilege Separation Violations: Up to 127KB of potentially sensitive heap data can be sent across privilege boundaries directly to the root monitor via IPC.

Affected Environments

The vulnerability impacts Linux distributions, primarily Ubuntu and Debian, that carry the GSSAPI Key Exchange patch on top of their standard OpenSSH packages. Servers are vulnerable if GSSAPIKeyExchange is enabled in their configuration.

Remediation and Patch Details

Canonical maintainers have provided a patch to resolve the defect. The fix is straightforward: replace the erroneous sshpkt_disconnect() function with ssh_packet_disconnect() at the three vulnerable server-side call sites in kexgsss.c file. System administrators running Debian or Ubuntu servers should immediately update their OpenSSH packages.

For organizations unable to patch immediately, turning off the GSSAPIKeyExchange feature in the SSH daemon configuration will effectively mitigate the threat.

元記事: https://gbhackers.com/openssh-gssapi-flaw-can-be-exploited/